TOTP module

João Miguel Regateiro jmregateiro at
Thu Nov 16 17:10:28 UTC 2023

Thank you for your feedback, that was very helpful!

Matthew Newton via Freeradius-Users <freeradius-users at>
escreveu no dia quinta, 16/11/2023 à(s) 14:19:

> On 16/11/2023 14:09, João Miguel Regateiro wrote:
> > I was testing my freeRadius server and I found out that a user can
> > authenticate with the same TOTP multiple times within the 30 seconds
> > period. From reading the RFC 6238 I understand that this must not be
> > possible as the One Time Password is for one time use only.
> The TOTP code is the same for the whole 30 (usually) second period.
> The RFC does say that the code should only be used once, but rlm_totp
> just verifies that the code is correct.
> > Could you please provide me some guidance on what I am doing wrong here?
> Nothing. If you want to enforce the one time use only then you'll need
> to add some kind of caching (rlm_cache, redis, etc) to check that the
> same code is not used multiple times.
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list