Kratos TOTP Security Flaw: Client-Side Counter Allows Brute-Force Attack on 2FA

A critical security vulnerability in the Kratos identity management system allows attackers to bypass two-factor authentication (2FA) protections. The flaw resides in the current TOTP (Time-based One-Time Password) login challenge, which uses a client-controlled cookie to track failed verification attempts. Because the counter is stored on the user's browser, an attacker can simply delete the cookie to reset it, enabling them to brute-force all 1,000,000 possible 6-digit TOTP codes without being locked out. This design fundamentally undermines the security of the second authentication factor.

The security review, conducted by a CIAM (Customer Identity and Access Management) expert, mandates an urgent architectural shift. The requirement is to replace the client-side cookie with a server-side tracking mechanism. This new system must key attempts to the Kratos flow ID—not the user's identity ID, as the user's identity is not yet confirmed at the TOTP verification stage. The implementation must enforce a strict limit: after the 5th consecutive failed attempt for a given flow, the system must call the Kratos admin API to expire the entire login flow, forcing the user to restart authentication from the password step.

To prevent information leakage that could aid an attacker, the system must return identical error responses for the first four failures, hiding the lockout threshold. All TOTP verification failures must be logged with the flow ID, source IP, and timestamp for security monitoring. A significant technical challenge remains: the solution must function correctly in a horizontally scaled production environment where Hera, the service handling this logic, runs across multiple instances. The server-side counter must be consistently shared or synchronized across all instances to prevent an attacker from bypassing limits by routing requests to different servers.