Open vilda opened 9 years ago
Bouke
commented
9 years ago The specification is the following:
Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
MarkusH
commented
8 years ago As with #98 I think that's a general enhancement django_otp should implement by rejecting a successfully proven token as invalid.
marcinszachun-identt
commented
1 year ago Hi,
There is a logic in django_otp.models.TOTPDevice that performs just that - it does not allow to use previously correctly validated tokens.
This is based on storing last_t value in database - this is value of last verified token time stamp: https://github.com/django-otp/django-otp/blob/master/src/django_otp/plugins/otp_totp/models.py#L128
Then when validating token, all t values that are less then last_t are skipped: https://github.com/django-otp/django-otp/blob/master/src/django_otp/oath.py#L193
What do You think about porting this logic to PhoneDevice and other devices provided by this library, or even make more close to TOTPDevice, maybe consider inheriting from it?
I would be interested to help with this ticket if You think this is good direction, or if You could point me how this can fixed some other way.
Code once verified must not be accepted again as per RFC 6238. While not absolutely critical, this helps is cases where the code (and password) were observed by third party "over shoulder".