OTP Reuse?

[ryanb]

Does the two-factor authentication allow reuse of the OTP? I don't see anything in the database changing after signing in through 2FA. This was handled in devise-two-factor-auth by adding a consumed_timestep column in devise-two-factor/devise-two-factor#43. See this post for details.

Should authentication-zero do something similar?

Great work on this gem btw!

[ryanb]

Looking into it further, looks like rotp supports an after option. It looks fairly simple to add an otp_consumed_at column to user, pass that in to rotp verify, and update it whenever signing in with otp.

[lazaronixon]

Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that.

[ryanb]

Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that.

I agree it isn't a serious security issue, and if the goal is simplicity I can understand intentionally leaving it out. I just wanted to raise it here in case it was missed. Feel free to close this issue.

[lazaronixon]

I will re-evaluate it though...