A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local attackers to shoulder-surf a user's TOTP verification code and use it to login after the user has authenticated.

By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.

Should an attacker possess a given user's authentication credentials, this flaw effectively defeats two-factor authentication for the duration of the timestep.