https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786 --- Comment #24 from David Cook <dcook@prosentient.com.au> --- If we look at Red Hat's FOSS Identity Management system Keycloak, we can see that they do store credentials separately to the user_entity table. https://www.keycloak.org/docs/latest/server_admin/#_user-credentials http://htmlpreview.github.io/?https://gist.githubusercontent.com/thomasdarim... They store both passwords and one-time passwords using that table. I don't know about Keycloak for sure, but it's common for applications to store multiple OTPs to give users a margin of error. For instance, with AWS and Google Authenticator, you can use the current code or the past 1-2 codes I believe. Using a separate credential table would make that easier. -- You are receiving this mail because: You are watching all bug changes.