<div dir="ltr">Once TOTPs are short-lived, into other words, time based. An attacker must be more clever.<div><br></div><div>Nothing is impossible, but TOTP is pretty much more safe. If this is something that we should support, because Keycloak have it implemented, cool. Otherwise, I don't see why we really need it.</div><div><br></div><div>This is my opinion, if the whole team agree on it, go ahead.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 12:14 PM, Erik Jan de Wit <span dir="ltr"><<a href="mailto:edewit@redhat.com" target="_blank">edewit@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">How does TOTP stop the zombies from getting your token and using it?</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I think you missed the point here, it does not works around the problem. If you make use of linotp or whatever app with HOTP. You generate event based tokens and this is how the workflow works:<div><br></div><div>1. You generate the event based tokens</div><div>2. Send to the server</div><div>3. Server validates</div><div><br></div><div>In a not so awesome world, this is what could happen</div><div><br></div><div>1. You generate the event based tokens</div><div>2. Send to the server</div><div>3. Zombies intercept and collect your token, sending the HTTP response "invalid token". Forcing you to provide more valid tokens.</div><div>4. Zombies make use of your tokens whenever they want.</div><div><br></div><div>So unless we have a good use case scenario rather than just "we use it internally" and Android team also agreed on it. I don't see HOTP happening.</div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <span dir="ltr"><<a href="mailto:edewit@redhat.com" target="_blank">edewit@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Internally we make use of HOTP (via linotp) for our VPN and it works around the problem of the long lived tokens by letting you use it only once. The difference in implementation is not so great, it wouldn't take long to build it in fact I've already created a PR for the java project.<div><br></div><div><a href="https://github.com/aerogear/aerogear-otp-java/pull/16" target="_blank">https://github.com/aerogear/aerogear-otp-java/pull/16</a><br></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Good morning Erik, I'm not against the implementation, but I have some<br>
considerations.<br>
<br>
As you might know TOTP is short-lived, which means that they only apply<br>
for certain amount of time, while HOTP is long-lived, which means that<br>
someone eavesdropping the network could collect several HOTPs and reuse<br>
then later.<br>
<br>
Other thing to keep in mind is how to demo HOTP, at the moment we don't<br>
have a server neither bandwidth do implement one.<br>
<br>
Implement it or not it's up to you, but I would like to make sure that<br>
you're aware about the issues with HOTP.<br>
<div><div><br>
On 2015-03-23, Erik Jan de Wit wrote:<br>
> Hi,<br>
><br>
> I was adding otp support for windows and that started to make me wonder if<br>
> it would be nice to add HOTP as well as TOTP for instance our linotp server<br>
> uses this. The only difference between the two is that HOTP uses a counter<br>
> that is incremented and TOTP is time based. So it would be fairly easy to<br>
> implement and for instance on windows there aren't any apps that support<br>
> both.<br>
><br>
> Wdyt?<br>
><br>
> --<br>
> Cheers,<br>
> Erik Jan<br>
<br>
</div></div>> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
--<br>
<br>
abstractj<br>
PGP: 0x84DC9914<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><div><div dir="ltr">Cheers,<div> Erik Jan</div></div></div>
</div>
<br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><span><font color="#888888"><div><div><br></div>-- <br>"The measure of a man is what he does with power" - Plato<br>-<br>@abstractj<br>-<br>Volenti Nihil Difficile</div>
</font></span></div>
<br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">Cheers,<div> Erik Jan</div></div></div>
</div>
</div></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div><br></div>-- <br>"The measure of a man is what he does with power" - Plato<br>-<br>@abstractj<br>-<br>Volenti Nihil Difficile</div>
</div>