Clarification Required

[geniqtech]

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Just wanted to clarify that currently there is an internal logic that will disallow same 2FA code from being used twice?
Is there a way to disable this or this is part of the requirement for TOTP?

My use case:

1. User with administrative rights tries to login to the portal
2. User prompted to enter 2FA
3. User successfully login to portal
4. User tries to access privilege module
5. User prompted to confirm 2FA again (still within 30 seconds)
6. Authenticator app is still showing same 2FA
7. User tries to enter same 2FA and failed.
8. User waits for 2FA on Authenticator app to "refresh"
9. User enters new 2FA
10. User able to access privilege module

Code sample

This post was meant as a clarification

[DarkGhostHunter]

It does by adding that key to a cache. When a key is entered, it first check if it exists in this cache. If it does, then it's blacklisted.

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

A way to bypass this blacklist would be add an options to all the checks, but that would need a major rework. Nice idea, could add it to the next major verion.