Add TOTP security warning (#33375)

dotnet · Aug 16, 2024 · d143d7b · d143d7b
1 parent 0fb61a6
commit d143d7b
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/aspnetcore/blazor/security/server/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/server/qrcodes-for-authenticator-apps.md
@@ -13,6 +13,9 @@ This article explains how to configure an ASP.NET Core Blazor Web App with QR co
 
 For an introduction to two-factor authentication (2FA) with authenticator apps using a Time-based One-time Password Algorithm (TOTP), see <xref:security/authentication/identity-enable-qrcodes>.
 
+> [!WARNING]
+> An ASP.NET Core TOTP code should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+
 ## Scaffold the Enable Authenticator component into the app
 
 Follow the guidance in <xref:security/authentication/scaffold-identity#scaffold-identity-into-a-blazor-project> to scaffold `Pages\Manage\EnableAuthenticator` into the app.
@@ -125,6 +128,9 @@ private string GenerateQrCodeUri(string email, string unformattedKey)
 
 Run the app and ensure that the QR code is scannable and that the code validates.
 
+> [!WARNING]
+> An ASP.NET Core TOTP code should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+
 ## `EnableAuthenticator` component in reference source
 
 The `EnableAuthenticator` component can be inspected in reference source: