[Koha-bugs] [Bug 28787] Send a notice with the TOTP token
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed May 25 04:23:34 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787
--- Comment #6 from David Cook <dcook at prosentient.com.au> ---
(In reply to Martin Renvoize from comment #4)
> Hmm, I'm not so sure about this.. whilst I understand TOTP over SMS delivery
> makes sense as SMS is in theory immediate delivery.. Email has lots of
> caveats around delivery speed and so it's more common to send an HOTP or
> even a simple random string OTP in the email case due to the timeout factor?
I agree that a 30 second time window is probably too short for email.
I suppose alternatively you could set a longer interval when using email TOTPs.
(I did a little bit of a deep dive into Auth::GoogleAuth and it's actually kind
of interesting how simple the mathematical mechanism is for establishing time
windows for TOTPs.)
Another thing we could do is add the range parameter to the verify() function I
believe. At the moment, it looks like we're not following the recommendations
of rfc6238 to allow additional backwards steps. (Typically, with a TOTP, you
can usually use up to 2-3 old codes and still work to allow for clock drift and
slow users.)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list