Do not accept a second use of a valid OTP code

DarkGhostHunter / Laraguard

"On-premises 2FA Authentication for all your users out-of-the-box

MIT License

266 stars 24 forks source link

Do not accept a second use of a valid OTP code #1

Closed victorlap closed 4 years ago

victorlap commented 4 years ago

First and foremost, I would like to thank you for creating such a nice project. I want to implement this in an app but stumbled accross the following piece in the TOTP RFC:

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

Maybe it is feasible to cache the usage of a token and only allow the first submission to pass through?

DarkGhostHunter commented 4 years ago

Thanks. Since it's a very variable thing, a Cache could be better.

I will consider this as a security problem, because an attacker could spy the code and use it again. I will take down the package from packagist until this is resolved.

DarkGhostHunter commented 4 years ago

I resolved it locally. Basically, a trait initialized the cache and then saves the code until the time it expires.

Need more testing, but I plan to release it this week.

DarkGhostHunter commented 4 years ago

Fixed in #2

victorlap commented 4 years ago

I am impressed by the speedy resolution!🙌

DarkGhostHunter commented 4 years ago

I am impressed by the speedy resolution!🙌

Thanks. Any new idea hit the issues.