The man-in-the-middle could be between your web client and server. You have to call the server and than generate it. With XSS-Attacks there are a lot of ways to read the qrcode. <div>This means the secret is exposed and you can generate a valid token. ;)</div>
<div><br></div><div>If you don't want the contribution I'm going to fork and have my own version of aerogear-otp-java. No problem. ;)</div><div class="gmail_extra"><br><br><div class="gmail_quote">2012/12/18 Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sorry Daniel, but I can't see how someone can intercept your phone's camera while you're scanning the QRCode, doesn't exist any communication between the client and the server. That's the reason why QRCode exists.<br>
<br>
Here you can check more about how it works <a href="http://aerogear.org/docs/specs/aerogear-security-otp/" target="_blank">http://aerogear.org/docs/specs/aerogear-security-otp/</a>. IMO the idea of input a PIN, sounds more like a HOTP, because it relies in some event to happen to have a new token. Add a large delay window like 60s will expose you to the man-in-the-middle attacks, allowing to reuse your token.<br>
<div class="im HOEnZb"><br>
<br>
--<br>
"The measure of a man is what he does with power" - Plato<br>
-<br>
@abstractj<br>
-<br>
Volenti Nihil Difficile<br>
<br>
<br>
<br>
</div><div class="im HOEnZb">On Tuesday, December 18, 2012 at 3:09 PM, Daniel Manzke wrote:<br>
<br>
> With TOTP you have to share a secret. This secret will be shared with the help of a link or qrcode. This can be catched by a man in the middle attack<br>
<br>
<br>
<br>
</div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Viele Grüße/Best Regards<br><br>Daniel Manzke<br>
</div>