I'm using google authenticator in c#, ran into an issue where it lets me use the same pin even after it has expired. This actually makes sense, as all its doing is encrypting a string, then the user scans the qr code, and the phone app generates a pin to decrypt the string. If I use the same encryption key every time, then any previously generated pin will still decrypt this. Is there any way to make the c# code force a new pin? I suppose unless I store all previously used pins, there is now way for the google dll to know whether its a new pin. I don't want to make the user scan the qr code every time, just enter the generated pin.
Thanks
There is no encryption or decryption. "Google authenticator" is just totp, with an identity and secret encoded in a url, presented in a QR code.
Totp is not a one-time-use code, it's a code that is valid for a period of time. Relying on both parties to agree on the current time and a secret.
The implementation is just a hash of a secret and the current time rounded to the nearest 30 seconds.
The server implementation may also allow for clock drift, checking the previous / next N codes as well.