Problem:
OTP token that is generated and sent to a mobile device for one endpoint (e.g. /session) will be valid for different endpoints and won't be invalidated after a successful usage for a period of time.
Possible impact:
Such behavior conflicts with the idea of OTP to be one-time and put at risk highly sensitive transactions this token may be used for.
Also, this directly contradicts TOTP RFC 6238
https://tools.ietf.org/html/rfc6238
"prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP."
Solution:
Given that TOTP is essential to use for the purpose, the application should not accept the same code twice even if it's been genuinely generated.
Problem:
OTP token that is generated and sent to a mobile device for one endpoint (e.g. /session) will be valid for different endpoints and won't be invalidated after a successful usage for a period of time.
Possible impact:
Such behavior conflicts with the idea of OTP to be one-time and put at risk highly sensitive transactions this token may be used for.
Also, this directly contradicts TOTP RFC 6238
https://tools.ietf.org/html/rfc6238
"prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP."
Solution:
Given that TOTP is essential to use for the purpose, the application should not accept the same code twice even if it's been genuinely generated.