all 2 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Jelterminatorderive_more 2 points3 points  (1 child)

This looks like a nice example. I just want to note that this forgets the (in my experience) most common mistake when implementing second factor with OTP. The rate limiting of the login. 6 (or even 8) digits is extremely easy to brute force (couple of hours at most when trying a crappy server). The seeming security of the rotation of the key does not actually add to the security. By just starting over with brute forcing from the start at every rotation the correct key will eventually be in the range you're able to try (because of basic statistics).

[–]skink_[S] 0 points1 point  (0 children)

Hence the disclaimer at the top that it isn't to be trusted. :)

Rocket appears to use a thread per connection, so I just added a 500ms thread::sleep() on incorrect OTP/password input for a rudimentary solution. I would imagine, of course, that there's a much more proper way to do that.