Closed NHAS closed 1 year ago
Currently a 2fa TOTP code can be used as many times as a user wants within the 30 second window it is valid.
This may allow a malicious actor who can somehow capture one valid 2fa code to reauthenticate during this time.
So we need to invalidate the token once it is used once.
Potentially fixed on unstable
Currently a 2fa TOTP code can be used as many times as a user wants within the 30 second window it is valid.
This may allow a malicious actor who can somehow capture one valid 2fa code to reauthenticate during this time.
So we need to invalidate the token once it is used once.