lazaronixon
OTP Reuse?
Does the two-factor authentication allow reuse of the OTP? I don't see anything in the database changing after signing in through 2FA. This was handled in devise-two-factor-auth by adding a consumed_timestep column in https://github.com/devise-two-factor/devise-two-factor/pull/43. See this post for details.
Should authentication-zero do something similar?
Great work on this gem btw!
Looking into it further, looks like rotp supports an after option. It looks fairly simple to add an otp_consumed_at column to user, pass that in to rotp verify, and update it whenever signing in with otp.
Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that.
Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that.
I agree it isn't a serious security issue, and if the goal is simplicity I can understand intentionally leaving it out. I just wanted to raise it here in case it was missed. Feel free to close this issue.