Thank you for your feedback, that was very helpful! Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org> escreveu no dia quinta, 16/11/2023 à(s) 14:19:
On 16/11/2023 14:09, João Miguel Regateiro wrote:
I was testing my freeRadius server and I found out that a user can authenticate with the same TOTP multiple times within the 30 seconds period. From reading the RFC 6238 I understand that this must not be possible as the One Time Password is for one time use only.
The TOTP code is the same for the whole 30 (usually) second period.
The RFC does say that the code should only be used once, but rlm_totp just verifies that the code is correct.
Could you please provide me some guidance on what I am doing wrong here?
Nothing. If you want to enforce the one time use only then you'll need to add some kind of caching (rlm_cache, redis, etc) to check that the same code is not used multiple times.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html