[aerogear-dev] [OTP] Mobile-OTP / OTP for .NET
Bruno Oliveira
bruno at abstractj.org
Tue Dec 18 12:52:14 EST 2012
Sorry Daniel, but I can't see how someone can intercept your phone's camera while you're scanning the QRCode, doesn't exist any communication between the client and the server. That's the reason why QRCode exists.
Here you can check more about how it works http://aerogear.org/docs/specs/aerogear-security-otp/. IMO the idea of input a PIN, sounds more like a HOTP, because it relies in some event to happen to have a new token. Add a large delay window like 60s will expose you to the man-in-the-middle attacks, allowing to reuse your token.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Tuesday, December 18, 2012 at 3:09 PM, Daniel Manzke wrote:
> With TOTP you have to share a secret. This secret will be shared with the help of a link or qrcode. This can be catched by a man in the middle attack
More information about the aerogear-dev
mailing list