While auditing internal infrastructure for Radically Open Security, I discovered a weakness in the devise-two-factor Time-based One-time Password (TOTP) library. With the help of Chris MacNaughton, we confirmed the vulnerability and informed the upstream vendor of the library. This article has some details about the vulnerability and disclosure.
