Timing Side-Channel Exposes Trusted Device Tokens in Authentication Service

A timing attack vulnerability has been identified in the trusted device verification logic of a production authentication service, creating a potential vector for adversaries to enumerate valid device tokens by measuring response latency differentials. The flaw resides in the isTrustedDevice method within src/auth/two-factor.service.ts, where an early return optimization upon device match generates a measurable timing difference compared to non-matching iterations.

The vulnerable code path executes a sequential loop across all trusted devices, invoking hashingService.verify for each entry before returning upon finding a match. This implementation pattern creates a side-channel: an attacker observing response times can infer whether a tested token exists in the trusted devices collection based on whether execution terminates earlier or continues through the full iteration count. Security researchers note that this enumeration risk compounds when trusted device lists are finite or predictable in length, making timing distinctions more pronounced and actionable.

The issue has been flagged for remediation, with the suggested approach being implementation of constant-time comparison logic or migration of token verification into database-layer operations where raw tokens are hashed prior to comparison. Until patched, the authentication service remains exposed to credential enumeration attacks targeting its two-factor verification flow. Organizations running this codebase should prioritize review of the referenced file and consider implementing the recommended constant-time fix to eliminate the side-channel.