devise-two-factor is vulnerable to time-based one-time password algorithm (TOPT) replay attacks. A remote attacker is able to reuse the one-time-password
immediately trailing the interval in order to gain access to the victim’s account given that the attacker already knows the victim’s credentials and is able to shoulder surf
the victims second factor device. Note : This is due an incomplete fix for CVE-2015-7225.