Split from bug 5608:
When it comes to alternatives, it's worth noting that our requirement is using
the OTP twice: One time against the master, one time against the agent. Many
TOTP implementations allows this. This includes google-authenticator. It allows
a "DISALLOW_REUSE" paramter in the config, but apparently it's not there by
default. Also, according to this Twitter post, many other implementations also
accepts the OTP multiple times:
"Amazing how many vendors allow reuse of TOTP/2FA codes within time window.
Culprits: most banks, Github… At least Google follows the RFC."
The RFC does indeed not allow multiple use of the OTP:
Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
*** Bug 7000 has been marked as a duplicate of this bug. ***
Our documentation states that we require:
> An OTP server which accepts the OTP twice. This is due to the ThinLinc architecture: The client first contacts the master machine, and then the agent host. When using RSA SecurID, we recommend using the Steel-Belted Radius server as a "Token Caching Server".