TOTP One Time Use

[OmarAlBchouti]

Hello,
how to use TOTP for One Time Use (Only to be able to verify only one time )
Thank you

[WeihanLi]

I'm also confused on whether a totp is used more than once, have you found a solution? @OmarAlBchouti
I guess we should remain the totp and matchedStep in our business logics, and verify in our business logic other than the totp library

[eddieysong]

In readme.md:

There is an output long called timeWindowUsed. This is provided so that the caller of the function can persist/check that the code has only been validated once.

So you can probably save the long somewhere, and check on every request whether a code has already been used to perform authentication at the given time window. It was pretty clear this library doesn't do it:

It is up to the consumer of this library to ensure that only one match for a given time step window is actually accepted. This library will only go so far as to determine that there was a valid code provided given the current time and the key, not that it was truly used one time as this library has no persistence.

[WeihanLi]

Yeah, thanks @eddieysong

[ahmadidev]

Is there any suggested solution to persist timeWindowUsed to prevent multiple usage of same TOTP token?
I'm doing this simply using cache with absolute expiration of step-seconds (which is used in Totp constructor).
But I think setting absolute expiration for step seconds is not much efficient as calculating the time which TOTP is valid. Because verification happens some time after TOTP has generated.
I don't know how to use timeStepMatched to calculate seconds which TOTP is valid.

[Ukandu147]

Otp.NET

An implementation TOTP RFC 6238 and HOTP RFC 4226 in C#. This is a port of the OtpSharp library(no longer accessible) to support .NET Core.
An implementation TOTP RFC 6238 and HOTP RFC 4226 in C#. This is a port of the OtpSharp library (no longer accessible) to support .NET Core.