Closed alneberg closed 2 years ago
@alneberg Since we're using TOTP
and the users secret is stored in the User
table and there is a check if the TOTP has been setup, I interpret this as that we're already fulfulling this?
Since the input is verified, replay attacks shouldn't be possible? Since only one 6 digit one time code is valid at a time
No I think we still need to fix this. As you say, the replay attack needs to be done within the 30 seconds (90 seconds really with the +/- 1 tick) interval, but it's still possible.
Closing due to change of plan. Using HOTP via email to start with.
From the documentation of pyotp (https://pyauth.github.io/pyotp/): "Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen)"