Clarification Required
Closed this issue · 1 comments
Please check these requirements
- This feature helps everyone using this package
- It's feasible and maintainable
- It's non breaking
- I issued a PR with the implementation (optional)
Description
Just wanted to clarify that currently there is an internal logic that will disallow same 2FA code from being used twice?
Is there a way to disable this or this is part of the requirement for TOTP?
My use case:
- User with administrative rights tries to login to the portal
- User prompted to enter 2FA
- User successfully login to portal
- User tries to access privilege module
- User prompted to confirm 2FA again (still within 30 seconds)
- Authenticator app is still showing same 2FA
- User tries to enter same 2FA and failed.
- User waits for 2FA on Authenticator app to "refresh"
- User enters new 2FA
- User able to access privilege module
Code sample
This post was meant as a clarification
It does by adding that key to a cache. When a key is entered, it first check if it exists in this cache. If it does, then it's blacklisted.
Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
A way to bypass this blacklist would be add an options to all the checks, but that would need a major rework. Nice idea, could add it to the next major verion.