Allow a timestamp to be passed to TOTP to filter out any possible options before that point
ryall opened this issue · comments
Is your feature request related to a problem? Please describe.
Currently, if a man-in-the-middle attack were to happen, the attacker could reuse the same token as the end-user, reducing the security benefit of OTP.
Describe the solution you'd like
To mitigate this problem, I'd like to be able to pass a fromTimestamp
property when checking TOTP tokens, so that all tokens that are generated using that timestamp or before are counted as invalid. This property can then be saved in the user's database and prevents the same token or older tokens from being used more than once.
Additional context
You can see an example of this in this Google 2FA library for PHP. It's easy to implement by simply discarding any options before or equal to the current timestamp.