[security-dev] TOTPCredentails should not be associated with Password

Pedro Igor Silva psilva at redhat.com
Tue Jun 11 11:03:31 EDT 2013

You're right. In order to update the secret key is necessary to specify the password too. You're not required to provide the exact password, given that it will be updated with what you provided.

Regarding multiple tokens, we can easily support that changing the handler's logic.

Would be nice a PR :). If you want to, I can work on something do those changes.

----- Original Message -----
From: "Bill Burke" <bburke at redhat.com>
To: security-dev at lists.jboss.org
Sent: Tuesday, June 11, 2013 11:19:56 AM
Subject: [security-dev] TOTPCredentails should not be associated with	Password

Right now, AFAICT, you cannot update the TOTP secret key without also 
knowing the password.  I"d like to not have TOTP classes inherit from 
the corresponding Password classes.  I can implement and provide a pull 
request if you agree.

Another thing to think about down the road is that you may want to allow 
multiple tokens.  Tokens generated by different devices owned by the user.

Bill Burke
JBoss, a division of Red Hat
security-dev mailing list
security-dev at lists.jboss.org

More information about the security-dev mailing list