With a colleague, I just tested the TOTP module I have installed in my Nextcloud (Docker image ; v15.0.4). The meaning of TOTP is
What I discovered is that TOTP is not ONE-Time and is in fact re-usable.
I logged out of my web session, re-opened the Web interface using my password only, opened a web page on my colleague’s computer, entered the UID and password on that one too. After that, I entered the TOTP code in my computer and logged in. Once in with the web interface and fully loaded, I told him the TOTP value and he entered it. He then entered in a session of his own.
There should be a flag in the database or something like that to ensure that once a --ONE-TIME-- code is used, it can not be re-used.