Hacker News new | past | comments | ask | show | jobs | submit login

> Are you saying that a valid TOTP code can be reused within its validity period? What’s the proposed threat model here (how is an adversary using this to inflict harm)?

Allowing re-use violates the RFC:

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.
* https://datatracker.ietf.org/doc/html/rfc6238#section-5

This is actually the only "MUST NOT" in the entire RFC (besides the definition of the term in §2).




i would think the "OTP" would be the giveaway, but hey, i'm no CTO




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: