Comment by vel0city

1 month ago

In every system I've worked on recent successful TOTPs have been cached as well to validate they're not used more than once.

1 comment

vel0city

Reply
vel0city  1 month ago

In fact, re-reading RFC 6238 it states:

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.

https://datatracker.ietf.org/doc/html/rfc6238

Assuming your adversary isn't actually directly impersonating you but simply gets the result from the successful attempt a few seconds later, the OTP should be invalid, being a one time password and all.