Internally we make use of HOTP (via linotp) for our VPN and it works around the problem of the long lived tokens by letting you use it only once. The difference in implementation is not so great, it wouldn't take long to build it in fact I've already created a PR for the java project.

https://github.com/aerogear/aerogear-otp-java/pull/16

On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno@abstractj.org> wrote:

Good morning Erik, I'm not against the implementation, but I have some
considerations.

As you might know TOTP is short-lived, which means that they only apply
for certain amount of time, while HOTP is long-lived, which means that
someone eavesdropping the network could collect several HOTPs and reuse
then later.

Other thing to keep in mind is how to demo HOTP, at the moment we don't
have a server neither bandwidth do implement one.

Implement it or not it's up to you, but I would like to make sure that
you're aware about the issues with HOTP.

On 2015-03-23, Erik Jan de Wit wrote:
> Hi,
>
> I was adding otp support for windows and that started to make me wonder if
> it would be nice to add HOTP as well as TOTP for instance our linotp server
> uses this. The only difference between the two is that HOTP uses a counter
> that is incremented and TOTP is time based. So it would be fairly easy to
> implement and for instance on windows there aren't any apps that support
> both.
>
> Wdyt?
>
> --
> Cheers,
> Erik Jan

> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

--

abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev

Cheers,

Erik Jan