Tokens should be expired on use even during setup

Question

Tokens should be expired on use even during setup

Closed this issue 10 years ago · 0 comments

If a user is logging in then the TOTP token they enter becomes invalid. But if a user is setting up TOTP on their account then immediately after they click "verify" a shoulder-surfer can log in using the TOTP token they just entered in the setup form.