TOTP module

João Miguel Regateiro jmregateiro at gmail.com
Thu Nov 16 17:10:28 UTC 2023


Thank you for your feedback, that was very helpful!

Matthew Newton via Freeradius-Users <freeradius-users at lists.freeradius.org>
escreveu no dia quinta, 16/11/2023 à(s) 14:19:

>
>
> On 16/11/2023 14:09, João Miguel Regateiro wrote:
> > I was testing my freeRadius server and I found out that a user can
> > authenticate with the same TOTP multiple times within the 30 seconds
> > period. From reading the RFC 6238 I understand that this must not be
> > possible as the One Time Password is for one time use only.
>
> The TOTP code is the same for the whole 30 (usually) second period.
>
> The RFC does say that the code should only be used once, but rlm_totp
> just verifies that the code is correct.
>
> > Could you please provide me some guidance on what I am doing wrong here?
>
> Nothing. If you want to enforce the one time use only then you'll need
> to add some kind of caching (rlm_cache, redis, etc) to check that the
> same code is not used multiple times.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list