-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OTP Reuse? #82
Comments
Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that. |
I agree it isn't a serious security issue, and if the goal is simplicity I can understand intentionally leaving it out. I just wanted to raise it here in case it was missed. Feel free to close this issue. |
I will re-evaluate it though... |
Does the two-factor authentication allow reuse of the OTP? I don't see anything in the database changing after signing in through 2FA. This was handled in devise-two-factor-auth by adding a
consumed_timestep
column in devise-two-factor/devise-two-factor#43. See this post for details.Should authentication-zero do something similar?
Great work on this gem btw!
The text was updated successfully, but these errors were encountered: