Hello, I was testing my freeRadius server and I found out that a user can authenticate with the same TOTP multiple times within the 30 seconds period. From reading the RFC 6238 I understand that this must not be possible as the One Time Password is for one time use only. Here is my code: authorize { ldap if ((ok || updated)) { if (User-Password !~ /^(.*)([0-9]{6})$/) { reject } update request { User-Password := "%{1}" TOTP-Password := "%{2}" } # gets shared secret from ldap if ( &control:totp_teste =~ /([A-Za-z0-9]+),/ ) { update control { TOTP-Secret := "%{1}" } } totp.authenticate if (!ok) { reject } update control { Auth-Type := ldap } } } authenticate { Auth-Type ldap { ldap } } Could you please provide me some guidance on what I am doing wrong here? Thanks, Miguel