On 4/27/22 17:28, lists wrote:
The TOTP built into Linux has a 30 second time limit but most
implementations approve the stale code making it effectively 60
seconds.
>
Hackers have either implemented [..] a man in the middle attack
intercepted the token.
An implementation taking the "one-time" in "TOTP" serious will lock a
seen time-step from being reused.
See also:
https://datatracker.ietf.org/doc/html/rfc6238#section-5.2
"Second, the next different OTP must be generated in the next time-step
window."
I guess many TOTP implementations are sloppy though.
Ciao, Michael.
