Web Security 0 HackerOne Web Authentication Endpoint Credentials Brute-Force Vulnerability. Posted on June 27, 2016 by Arne Swinnen. I publicly disclosed a vulnerability that I found on and reported to the HackerOne platform. It involved a brute-force rate limiting protection bypass via IPv6. It can be found here. Web Security 10In the next step, you'll need the one-time password (otp), which can be obtained by using the barcode_uri to generate a QR code that can be scanned by the OTP generator of your choice (such as Google Authenticator). Once the user scans that QR code, they will be able to obtain the OTP code.$\begingroup$ OTP is not vulnerable to brute-force because a dictionary attack against an OTP yields the dictionary itself. $\endgroup$ - Mindwin Mar 3 '16 at 17:19 3 $\begingroup$ The reason is that It's the same problem as with the library of Babel $\endgroup$ - Vandermonde Mar 5 '16 at 3:49I assume that you are talking 2FA system and have moderate knowledge of what an OTP is, how it works, and comfortable of terms like HOTP and TOTP. I also assume the server of the service and user's device aren't compromised, and the service provid...HMAC-based One-time Password (HOTP) is a popular alternative to TOPT, which implements an algorithm that computes the one-time password using a secret shared with the authentication server and a counter that is incremented every time an OTP is produced (instead of current time in TOPT).