[security-dev] managing OTP

Bill Burke bburke at redhat.com
Mon Aug 12 09:20:08 EDT 2013

On 8/12/2013 6:19 AM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: security-dev at lists.jboss.org
>> Sent: Sunday, August 11, 2013 8:58:27 AM
>> Subject: [security-dev] managing OTP
>> There's a few issues with managing credentials.  The first is, there is
>> no way to remove a credential.  This is essential to TOTP as you may end
>> up with a lost or obsolete device.
>> https://issues.jboss.org/browse/PLINK-236
> I missed that too and have discussed that with Shane a long time ago. The idea is to have a history of all account's credentials.

The reason for this is?

> If a devices becomes obsolete, you just set expiration date.

Its not just TOTP, same with password.  Every time a user has a lost 
password two new obsolete ones are added to the database:  temporary 
one, then a password change.  Maybe not such a big deal with a few 
users, but when you get to tens, hundreds of thousands of users, won't 
this kind of be a problem?

>> THe 2nd is that for TOTP, you will want to check every device on a
>> credential validation rather than just one:
>> https://issues.jboss.org/browse/PLINK-237
>> Our own VPN allows me to set up multiple tokens.  I have one on my
>> iphone and ipad just in case I lose one or the other.  OUr VPN allows me
>> to use either to login in.
> Is not a valid option you iterate over user's devices and try each one ?

Sure, this is why this is an enhancement.

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list