I agree that TOTP in general is more save, but the difference is marginal
TOTP is based off HOTP and why not support both? We could add a note saying
that we would encourage users to use TOTP instead, but what if that have to
use HOTP because they have a linotp server like we do. It's still more
secure then a normal password.
On Tue, Mar 24, 2015 at 5:52 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Once TOTPs are short-lived, into other words, time based. An attacker
must
be more clever.
Nothing is impossible, but TOTP is pretty much more safe. If this is
something that we should support, because Keycloak have it implemented,
cool. Otherwise, I don't see why we really need it.
This is my opinion, if the whole team agree on it, go ahead.
On Tue, Mar 24, 2015 at 12:14 PM, Erik Jan de Wit <edewit(a)redhat.com>
wrote:
> How does TOTP stop the zombies from getting your token and using it?
>
> On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
>> I think you missed the point here, it does not works around the problem.
>> If you make use of linotp or whatever app with HOTP. You generate event
>> based tokens and this is how the workflow works:
>>
>> 1. You generate the event based tokens
>> 2. Send to the server
>> 3. Server validates
>>
>> In a not so awesome world, this is what could happen
>>
>> 1. You generate the event based tokens
>> 2. Send to the server
>> 3. Zombies intercept and collect your token, sending the HTTP response
>> "invalid token". Forcing you to provide more valid tokens.
>> 4. Zombies make use of your tokens whenever they want.
>>
>> So unless we have a good use case scenario rather than just "we use it
>> internally" and Android team also agreed on it. I don't see HOTP
happening.
>>
>> On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <edewit(a)redhat.com>
>> wrote:
>>
>>> Internally we make use of HOTP (via linotp) for our VPN and it works
>>> around the problem of the long lived tokens by letting you use it only
>>> once. The difference in implementation is not so great, it wouldn't take
>>> long to build it in fact I've already created a PR for the java project.
>>>
>>>
https://github.com/aerogear/aerogear-otp-java/pull/16
>>>
>>> On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno(a)abstractj.org>
>>> wrote:
>>>
>>>> Good morning Erik, I'm not against the implementation, but I have
some
>>>> considerations.
>>>>
>>>> As you might know TOTP is short-lived, which means that they only apply
>>>> for certain amount of time, while HOTP is long-lived, which means that
>>>> someone eavesdropping the network could collect several HOTPs and reuse
>>>> then later.
>>>>
>>>> Other thing to keep in mind is how to demo HOTP, at the moment we
don't
>>>> have a server neither bandwidth do implement one.
>>>>
>>>> Implement it or not it's up to you, but I would like to make sure
that
>>>> you're aware about the issues with HOTP.
>>>>
>>>> On 2015-03-23, Erik Jan de Wit wrote:
>>>> > Hi,
>>>> >
>>>> > I was adding otp support for windows and that started to make me
>>>> wonder if
>>>> > it would be nice to add HOTP as well as TOTP for instance our
linotp
>>>> server
>>>> > uses this. The only difference between the two is that HOTP uses a
>>>> counter
>>>> > that is incremented and TOTP is time based. So it would be fairly
>>>> easy to
>>>> > implement and for instance on windows there aren't any apps
that
>>>> support
>>>> > both.
>>>> >
>>>> > Wdyt?
>>>> >
>>>> > --
>>>> > Cheers,
>>>> > Erik Jan
>>>>
>>>> > _______________________________________________
>>>> > aerogear-dev mailing list
>>>> > aerogear-dev(a)lists.jboss.org
>>>> >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>> --
>>>>
>>>> abstractj
>>>> PGP: 0x84DC9914
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Erik Jan
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>>
>> --
>> "The measure of a man is what he does with power" - Plato
>> -
>> @abstractj
>> -
>> Volenti Nihil Difficile
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Cheers,
> Erik Jan
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev