Valid TOTPs should still only work once when implemented well. And yes it's not ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

borplk on Feb 26, 2022 | parent | context | favorite | on: Gitlab Critical Security Release

Valid TOTPs should still only work once when implemented well. And yes it's not easy to exploit. The idea is something like a malware could sit and intercept a successful login then initiate its own session by re-using the MFA code before it expires.

lolinder on Feb 26, 2022 | [–]

Yeah, but malware in that position can also just steal your session cookie.

muldvarp on Feb 26, 2022 | [–]

Malware can also just steal your session cookie.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact