auth_totp_reuse
The `auth_totp_reuse` directive controls whether a TOTP token can be reused during its validity period.
Description
The auth_totp_reuse directive is a configuration option within the NGINX Time-based One-Time Password (TOTP) authentication module, which governs the reuse of TOTP tokens during their designated validity period. When enabled (set to 'on'), the same TOTP token can be reused for multiple authentication attempts until it expires. This is useful in scenarios where users may need to authenticate multiple times within a short time frame without the need for generating a new token each time.
Conversely, when set to 'off', a TOTP token can only be used once for authentication. This stricter approach enhances security by preventing the same code from being used for subsequent access attempts, effectively minimizing the risk of token interception or replay attacks. This functionality is beneficial in environments where authentication events are critical and need to be tightly controlled.
The directive accepts a single argument: 'on' or 'off', with 'off' being the default setting. It can be placed in 'http', 'server', 'location', or 'limit_except' context blocks to finely control token reuse behavior based on the specific access requirements of different areas within an NGINX server.
Config Example
location /protected {
auth_totp_realm "Protected";
auth_totp_file /etc/nginx/totp.conf;
auth_totp_length 8;
auth_totp_reuse on;
auth_totp_skew 1;
auth_totp_step 1m;
auth_totp_cookie "totp-session";
auth_totp_expiry 1d;
}Be cautious when setting auth_totp_reuse to on as it may expose the application to replay attacks if tokens are intercepted.
Ensure that token generation intervals and expiration settings are configured properly to complement the reuse setting.