|
|
|
|
|
|
by duskwuff
1642 days ago
|
|
|
> This still leaks that the account exists and has TOTP enabled tho. You could mitigate that by prompting for an OTP code on a random but stable subset of nonexistent accounts -- for example, by hashing the provided username with a server-side secret and requesting an OTP if the hash starts with a zero. |
|
|