Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.
I think the argument here is that, since it can happen 30s later, you could enter your password, look at the screen, lock your screen & walk away, without being safe. Imagine a location where the mobo itself is secure enough to prevent anyone from quickly inserting something, but anyone could have quick access to the keyboard & monitor.
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.
It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.
In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.
Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.
> but also because otherwise the user could be locked out for 60s.
I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.
>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.
RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.