In a self-serve environment users are expected to login to a web page and enter the details of their token device, such that the device can be assigned to that user. To ease this process, it is sometimes more practical for the users to be allowed to enter two (or maybe even more) token values emitted from their device. This avoids issues with mis-typed serial numbers etc. This patch adds a function which matches such a token value sequence against a given list of devices. The function works on both HOTP and TOTP devices.
Sounds useful. I'm rather reluctant to add functionality to the core project that only applies to certain kinds of devices. Obviously, this trick only works if you can verify tokens in a non-destructive way, which isn't true in the general case. I like to think of otp_hotp and otp_totp as functional sample code more than anything else. Have you considered just using internal device implementations? If you think this is generally useful functionality, you could even put together a project with an abstract Device subclass that explicitly supports token searches and excludes any device that can't support that.