If OTP is enabled for a user, the user can change the first factor by validating the first factor only. While this itself isn't terrible, it provides a way to brute force attack the first factor.
Thus, an OTP check needs to be added somewhere around ipa_pwd_extop.c:377.
This ticket is not complete yet, moving to next month milestone.
http://www.redhat.com/archives/freeipa-devel/2014-May/msg00066.html
On the weekly call we agreed not to fix this and to document that no OTP is used in the chpwd extop.
The reasoning for this is that the user has already bound using 2FA, so there is no security hole. Further, clients like ldappasswd collect the passwords in reverse order (chpwd oldPassword then bind password) to what they will be evaluated by the server. This means we can never get the OTP ordering right.
Metadata Update from @npmccallum: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.0 - 2014/04
Login to comment on this ticket.