HIGH: Previous implementation used 30-second timestamp windows, allowing
TOTP codes to be reused multiple times within the same window via concurrent
requests or brute force attacks.
Changes:
- Track individual used codes instead of timestamps
- Store last 5 used codes with expiration (90 seconds)
- Reduce acceptance window to ±30s (valid_window=1)
- Automatically clean up expired codes
Security Impact:
- Prevents TOTP code reuse attacks
- Blocks brute force attempts within time windows
- Strengthens 2FA protection significantly
Tests: All TOTP tests passing, replay protection verified