[Koha-bugs] [Bug 28786] Two-factor authentication for staff client - TOTP
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jan 17 11:10:06 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786
--- Comment #62 from Jonathan Druart <jonathan.druart+koha at gmail.com> ---
(In reply to Marcel de Rooy from comment #60)
> (In reply to Jonathan Druart from comment #58)
>
> > > [2] The randomizer (which we should not use) depends on Math::Random::MT.
> > > This module says: This algorithm has a very uniform distribution and is good
> > > for modelling purposes but do not use it for cryptography.
> > > As long as we pass our own stronger secrets, no worries. See [1].
> >
> > Sorry, you lost me here. Which randomizer module?
>
> See Auth::GoogleAuth:
> use Math::Random::MT 'rand';
> sub generate_secret32
> [...]
> return $self->secret32( join( '', @chars[ map { rand( scalar(@chars) ) } 1
> .. 16 ] ) );
> Please reread earlier comment.
Not sure this is valid, but I will provide a patch anyway.
> > > [3] Martin refers earlier to Authen::OATH. I follow him there, but no
> > > blocker.
> >
> > Why? Did you see my answer on comment 23?
> > On the other hand if we do not longer use the QR code generator from
> > Auth::GoogleAuth there is no bad reason to not switch. But what are your
> > good reasons to switch then? :)
>
> Martin mentions them already. I could only add: the fact that it potentially
> exposes the secret in a GET parameter, could be reason enough?
I've answered Martin's concerns, they were not valid IMO.
I am not willing to rewrite the base of the feature here.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list