Linus Nordberg <linus at nordu.net> writes: > What kind of OTP systems are vulnerable to replay attacks? TOTP is, isn't it? Time-based OTP doesn't, so far as I understand it, store a sequence number, so there isn't a non-time way of invalidating used codes. -- Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>