Two Factor Authentication Prevent Conflicting Accounts

[daviian]

• Gitea version (or commit ref): 1.1.3
• Git version: 2.1.4
• Operating system: raspbian
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

If you have accounts on multiple gitea instances it could happen that you overwrite an existing TOTP Key. This is due to the way TOTP Authentication Apps handle entries, see https://github.com/google/google-authenticator/wiki/Conflicting-Accounts.
The circumstances under which this happens:

• Same Application Name
• Same Account Name
• On both instances TOTP enabled

In the worst scenario a user can get locked out of one instance.
Happend to me once but fortunately had access to the database and was able to delete the entry in two_factor table.

I have already opened in issue at pquerna/otp#20
Owner mentioned that library exposes all needed stuff to prevent this and a possible solution pquerna/otp#20 (comment)
Unfortunately with his proposed solution the problem still exists if same application name is used.
I'd rather use the URL from the gitea installation.

[daviian]

@lunny As it is already merged I think it can be closed?