hashicorp · benashz · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025
@@ -0,0 +1,3 @@
+```release-note:bug
+identity/mfa: revert cache entry change from #31217 and document cache entry values
+```
@@ -329,7 +329,7 @@ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) {
 	// let's make sure the configID is not blocked for other users
 	doTwoPhaseLogin(t, userClient2, enginePath2, methodID, testuser2)
 
-	// let's see if user1 is able to login after 3 + 3*2 = 9 seconds
+	// let's see if user1 is able to login after 3 * (2+1) = 9 seconds
 	time.Sleep(9 * time.Second)
 	doTwoPhaseLogin(t, userClient1, enginePath1, methodID, testuser1)
 

@@ -2343,9 +2343,10 @@ func (c *Core) validateTOTP(ctx context.Context, mfaFactors *MFAFactor, entityMe
 		return fmt.Errorf("failed to validate TOTP passcode")
 	}
 
-	// The duration in which a passcode is stored in cache to enforce
-	// rate limit on failed totp passcode validation
-	passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period) * int64(2*totpSecret.Skew))
+	// The duration in which a rateLimitID (configID_entityID) is used to limit the number of TOTP validation attempts.
+	// The passcode will be added to the usedCodes cache later, with a different TTL, with the skew and period.
+	passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period))
+
 	// Enforcing rate limit per MethodID per EntityID
 	rateLimitID := fmt.Sprintf("%s_%s", configID, entityID)