TOTP module

Matthew Newton mcn at
Thu Nov 16 14:18:45 UTC 2023

On 16/11/2023 14:09, João Miguel Regateiro wrote:
> I was testing my freeRadius server and I found out that a user can
> authenticate with the same TOTP multiple times within the 30 seconds
> period. From reading the RFC 6238 I understand that this must not be
> possible as the One Time Password is for one time use only.

The TOTP code is the same for the whole 30 (usually) second period.

The RFC does say that the code should only be used once, but rlm_totp 
just verifies that the code is correct.

> Could you please provide me some guidance on what I am doing wrong here?

Nothing. If you want to enforce the one time use only then you'll need 
to add some kind of caching (rlm_cache, redis, etc) to check that the 
same code is not used multiple times.


More information about the Freeradius-Users mailing list