The man-in-the-middle could be between your web client and server. You have
to call the server and than generate it. With XSS-Attacks there are a lot
of ways to read the qrcode.
This means the secret is exposed and you can generate a valid token. ;)
If you don't want the contribution I'm going to fork and have my own
version of aerogear-otp-java. No problem. ;)
2012/12/18 Bruno Oliveira <bruno(a)abstractj.org>
Sorry Daniel, but I can't see how someone can intercept your
phone's
camera while you're scanning the QRCode, doesn't exist any communication
between the client and the server. That's the reason why QRCode exists.
Here you can check more about how it works
http://aerogear.org/docs/specs/aerogear-security-otp/. IMO the idea of
input a PIN, sounds more like a HOTP, because it relies in some event to
happen to have a new token. Add a large delay window like 60s will expose
you to the man-in-the-middle attacks, allowing to reuse your token.
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Tuesday, December 18, 2012 at 3:09 PM, Daniel Manzke wrote:
> With TOTP you have to share a secret. This secret will be shared with
the help of a link or qrcode. This can be catched by a man in the middle
attack
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Viele Grüße/Best Regards
Daniel Manzke