I agree that TOTP in general is more save, but the difference is marginal TOTP is based off HOTP and why not support both? We could add a note saying that we would encourage users to use TOTP instead, but what if that have to use HOTP because they have a linotp server like we do. It's still more secure then a normal password.

On Tue, Mar 24, 2015 at 5:52 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
Once TOTPs are short-lived, into other words, time based. An attacker must be more clever.

Nothing is impossible, but TOTP is pretty much more safe. If this is something that we should support, because Keycloak have it implemented, cool. Otherwise, I don't see why we really need it.

This is my opinion, if the whole team agree on it, go ahead.

On Tue, Mar 24, 2015 at 12:14 PM, Erik Jan de Wit <edewit@redhat.com> wrote:
How does TOTP stop the zombies from getting your token and using it?

On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
I think you missed the point here, it does not works around the problem. If you make use of linotp or whatever app with HOTP. You generate event based tokens and this is how the workflow works:

1. You generate the event based tokens
2. Send to the server
3. Server validates

In a not so awesome world, this is what could happen

1. You generate the event based tokens
2. Send to the server
3. Zombies intercept and collect your token, sending the HTTP response "invalid token". Forcing you to provide more valid tokens.
4. Zombies make use of your tokens whenever they want.

So unless we have a good use case scenario rather than just "we use it internally" and Android team also agreed on it. I don't see HOTP happening.

On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <edewit@redhat.com> wrote:
Internally we make use of HOTP (via linotp)  for our VPN and it works around the problem of the long lived tokens by letting you use it only once. The difference in implementation is not so great, it wouldn't take long to build it in fact I've already created a PR for the java project.


On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
Good morning Erik, I'm not against the implementation, but I have some
considerations.

As you might know TOTP is short-lived, which means that they only apply
for certain amount of time, while HOTP is long-lived, which means that
someone eavesdropping the network could collect several HOTPs and reuse
then later.

Other thing to keep in mind is how to demo HOTP, at the moment we don't
have a server neither bandwidth do implement one.

Implement it or not it's up to you, but I would like to make sure that
you're aware about the issues with HOTP.

On 2015-03-23, Erik Jan de Wit wrote:
> Hi,
>
> I was adding otp support for windows and that started to make me wonder if
> it would be nice to add HOTP as well as TOTP for instance our linotp server
> uses this. The only difference between the two is that HOTP uses a counter
> that is incremented and TOTP is time based. So it would be fairly easy to
> implement and for instance on windows there aren't any apps that support
> both.
>
> Wdyt?
>
> --
> Cheers,
>        Erik Jan

> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


--

abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Cheers,
       Erik Jan

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--

-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Cheers,
       Erik Jan

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--

-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Cheers,
       Erik Jan