Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It already recorded in the database when the TOTP was last used, but it allowed to reuse the same code during the grace period (30 seconds later).


Allowing authentication not only within the original time frame but one interval before and after is by design: https://en.wikipedia.org/wiki/Time-based_one-time_password#S... .


The security issue is with allowing reuse, and not because of allowing use in the previous and next time frames.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: