* Industrial espionage and state actors - somebody setting up a camera to record the monitor and reusing the token
* Phishing site - the token can be reused, and then redirected to original site. There wouldn't even be an error
* Keylogger
* Somebody logging in while sharing the screen during a Zoom call
* Somebody standing over the shoulder, etc.
Considering this could be prevented with a single if statement, and how important 2FA is in protecting accounts, that's certainly my impression.
The password can be found out through other means, e.g. (password reuse, phishing, keylogger, etc.)
For comparison, the exact same vulnerability was rated as medium severity (5.3/10) - high impact, but difficult to exploit
https://nvd.nist.gov/vuln/detail/CVE-2015-7225
(How do you log used codes, check if a code was previously used, and clean up old used codes in a single if statement?)
Check the last login/session/whatever for that account and if it was within the period of the TOTP that was submitted, force a relog.
* Industrial espionage and state actors - somebody setting up a camera to record the monitor and reusing the token
* Phishing site - the token can be reused, and then redirected to original site. There wouldn't even be an error
* Keylogger
* Somebody logging in while sharing the screen during a Zoom call
* Somebody standing over the shoulder, etc.
Considering this could be prevented with a single if statement, and how important 2FA is in protecting accounts, that's certainly my impression.
The password can be found out through other means, e.g. (password reuse, phishing, keylogger, etc.)
For comparison, the exact same vulnerability was rated as medium severity (5.3/10) - high impact, but difficult to exploit
https://nvd.nist.gov/vuln/detail/CVE-2015-7225