The same code is accepted multiple times

[cederlys]

Finding this project was nice. However, I've found a rather serious issue: it is possible to log in several times using the same TOTP code. While convenient, this severely decreases the security of the solution. If somebody somehow managed to obtain a one-time code, both he and I could use the code to log in.

I think codes that have been used should be marked as used, and and kept on a black list until they are no longer valid.

Otherwise, I really like this library. Just what I needed.

[61131]

Hello @cederlys,

Thank you for your feedback. You are correct in that a TOTP code can be re-used within its' validity period. It is for this reason that time-step size is recommended to be short and secure keys employed between the issuing and verifying systems. The original implementation of this code was primarily to demonstrate the operation of this time-based authentication between disconnected system.

There is however an explicit statement in RFC 6238 (which I seemingly overlooked) - "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP."

As such, I will update this module to correct this behaviour - I will update this thread once committed, but I should have something ready within the next 24 hours.

Thanks again.
Rob

[61131]

Hello @cederlys,

I have published a new release (1.1.0) which includes support for preventing the re-use of TOTPs. This previous, more permissive behaviour can be maintained through the use of the auth_totp_reuse parameter.

Please feel free to re-open this thread if you run into any problems with this change.

Thanks again.
Rob