Comment by alphager

1 month ago

The 30 seconds (+30-60 seconds to account for clock drift) are long enough to exploit.

TOTP is primarily a defense against password reuse (3rd party site gets popped and leaks passwords, thanks to TOTP my site isn't overrun by adversaries) and password stuffing attacks.

2 comments

alphager

vel0city 1 month ago

In every system I've worked on recent successful TOTPs have been cached as well to validate they're not used more than once.

vel0city 1 month ago
In fact, re-reading RFC 6238 it states:
Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
https://datatracker.ietf.org/doc/html/rfc6238
Assuming your adversary isn't actually directly impersonating you but simply gets the result from the successful attempt a few seconds later, the OTP should be invalid, being a one time password and all.