TOTP module
Matthew Newton
mcn at freeradius.org
Thu Nov 16 14:18:45 UTC 2023
On 16/11/2023 14:09, João Miguel Regateiro wrote:
> I was testing my freeRadius server and I found out that a user can
> authenticate with the same TOTP multiple times within the 30 seconds
> period. From reading the RFC 6238 I understand that this must not be
> possible as the One Time Password is for one time use only.
The TOTP code is the same for the whole 30 (usually) second period.
The RFC does say that the code should only be used once, but rlm_totp
just verifies that the code is correct.
> Could you please provide me some guidance on what I am doing wrong here?
Nothing. If you want to enforce the one time use only then you'll need
to add some kind of caching (rlm_cache, redis, etc) to check that the
same code is not used multiple times.
--
Matthew
More information about the Freeradius-Users
mailing list