We are having currently tests which are login to our application based on the username/password and OTP. The tests are run on every Pull Request as well as during development on local instances. All of them share the same username for authentication.
We are using GitHub - hectorm/otpauth: One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers. library for obtaining OTP. The more PRs are in place the more tests start to fail.
- the OTP can be used only once (one browser, one device, etc.) - meaning that if someone else tries to login within time window of 30 seconds then it fails
We introduced a function that repeats every 5 seconds generating a new code and typing it (for 30 seconds). But then another problem occurs - after few times of typing wrong code the account is simply blocked for 10 minutes.
I have several questions:
- is it possible to not block the account? Thus we will be able to finally login even if repeating generation of the code
- how to check what is the current time left for the OTP?
- is it possible to disable MFA only for particular users?