Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OTP Reuse? #82

Open
ryanb opened this issue Sep 27, 2023 · 4 comments
Open

OTP Reuse? #82

ryanb opened this issue Sep 27, 2023 · 4 comments

Comments

@ryanb
Copy link

ryanb commented Sep 27, 2023

Does the two-factor authentication allow reuse of the OTP? I don't see anything in the database changing after signing in through 2FA. This was handled in devise-two-factor-auth by adding a consumed_timestep column in devise-two-factor/devise-two-factor#43. See this post for details.

Should authentication-zero do something similar?

Great work on this gem btw!

@ryanb
Copy link
Author

ryanb commented Sep 27, 2023

Looking into it further, looks like rotp supports an after option. It looks fairly simple to add an otp_consumed_at column to user, pass that in to rotp verify, and update it whenever signing in with otp.

@lazaronixon
Copy link
Owner

Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that.

@ryanb
Copy link
Author

ryanb commented Sep 27, 2023

Yeah, I haven't implemented it as a matter of simplicity. So, yes, you can reuse the same OTP inside the 30 seconds, I don't see it as a big issue because we use the OTP codes as 2FA, but I would be happy to merge a simple implementation for that.

I agree it isn't a serious security issue, and if the goal is simplicity I can understand intentionally leaving it out. I just wanted to raise it here in case it was missed. Feel free to close this issue.

@lazaronixon
Copy link
Owner

I will re-evaluate it though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants