Closed alneberg closed 2 years ago
i-oden
commented
2 years ago @alneberg Since we're using TOTP and the users secret is stored in the User table and there is a check if the TOTP has been setup, I interpret this as that we're already fulfulling this?
i-oden
commented
2 years ago Since the input is verified, replay attacks shouldn't be possible? Since only one 6 digit one time code is valid at a time
alneberg
commented
2 years ago No I think we still need to fix this. As you say, the replay attack needs to be done within the 30 seconds (90 seconds really with the +/- 1 tick) interval, but it's still possible.
i-oden
commented
2 years ago Closing due to change of plan. Using HOTP via email to start with.
From the documentation of pyotp (https://pyauth.github.io/pyotp/): "Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen)"