backport of commit 078585b (#31424)

Co-authored-by: mickael-hc <[email protected]>

Author: hc-github-team-secure-vault-core

changelog/31421.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+identity/mfa: revert cache entry change from #31217 and document cache entry values
+```

vault/external_tests/identity/login_mfa_totp_test.go

@@ -329,7 +329,7 @@ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) {
 	// let's make sure the configID is not blocked for other users
 	doTwoPhaseLogin(t, userClient2, enginePath2, methodID, testuser2)
 
-	// let's see if user1 is able to login after 3 + 3*2 = 9 seconds
+	// let's see if user1 is able to login after 3 * (2+1) = 9 seconds
 	time.Sleep(9 * time.Second)
 	doTwoPhaseLogin(t, userClient1, enginePath1, methodID, testuser1)
 

vault/login_mfa.go

@@ -2343,9 +2343,10 @@ func (c *Core) validateTOTP(ctx context.Context, mfaFactors *MFAFactor, entityMe
 		return fmt.Errorf("failed to validate TOTP passcode")
 	}
 
-	// The duration in which a passcode is stored in cache to enforce
-	// rate limit on failed totp passcode validation
-	passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period) * int64(2*totpSecret.Skew))
+	// The duration in which a rateLimitID (configID_entityID) is used to limit the number of TOTP validation attempts.
+	// The passcode will be added to the usedCodes cache later, with a different TTL, with the skew and period.
+	passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period))
+
 	// Enforcing rate limit per MethodID per EntityID
 	rateLimitID := fmt.Sprintf("%s_%s", configID, entityID)