[aerogear-dev] [OTP] Mobile-OTP / OTP for .NET
Daniel Manzke
daniel.manzke at googlemail.com
Tue Dec 18 15:48:43 EST 2012
The man-in-the-middle could be between your web client and server. You have
to call the server and than generate it. With XSS-Attacks there are a lot
of ways to read the qrcode.
This means the secret is exposed and you can generate a valid token. ;)
If you don't want the contribution I'm going to fork and have my own
version of aerogear-otp-java. No problem. ;)
2012/12/18 Bruno Oliveira <bruno at abstractj.org>
> Sorry Daniel, but I can't see how someone can intercept your phone's
> camera while you're scanning the QRCode, doesn't exist any communication
> between the client and the server. That's the reason why QRCode exists.
>
> Here you can check more about how it works
> http://aerogear.org/docs/specs/aerogear-security-otp/. IMO the idea of
> input a PIN, sounds more like a HOTP, because it relies in some event to
> happen to have a new token. Add a large delay window like 60s will expose
> you to the man-in-the-middle attacks, allowing to reuse your token.
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
>
> On Tuesday, December 18, 2012 at 3:09 PM, Daniel Manzke wrote:
>
> > With TOTP you have to share a secret. This secret will be shared with
> the help of a link or qrcode. This can be catched by a man in the middle
> attack
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Viele Grüße/Best Regards
Daniel Manzke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20121218/c9208a36/attachment.html
More information about the aerogear-dev
mailing list