|
|
|
|
|
|
by pyramation
1941 days ago
|
|
|
Thanks for the in depth explanation. So it seems that, during the interval (which defaults to 30s) they could possibly determine the TOTP value. It seems possible to brute force, however as soon as the interval changes, by default every 30 seconds, the TOTP is now new because time has passed. But assuming they could do some crazy thing like attempt 10,000 times within that interval, I suppose it's arguable that it should still be secure... So upon research looks like it's quite easily fixed by comparing all digits individually, and then aggregating if all all true, but continuing the iteration and checks even if a false value has been found. I suppose that would cover this case. Thanks for pointing this out! Will be adding an issue ;) |
|
|