[aerogear-dev] OTP

Erik Jan de Wit edewit at redhat.com
Tue Mar 24 13:01:56 EDT 2015


I agree that TOTP in general is more save, but the difference is marginal
TOTP is based off HOTP and why not support both? We could add a note saying
that we would encourage users to use TOTP instead, but what if that have to
use HOTP because they have a linotp server like we do. It's still more
secure then a normal password.

On Tue, Mar 24, 2015 at 5:52 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Once TOTPs are short-lived, into other words, time based. An attacker must
> be more clever.
>
> Nothing is impossible, but TOTP is pretty much more safe. If this is
> something that we should support, because Keycloak have it implemented,
> cool. Otherwise, I don't see why we really need it.
>
> This is my opinion, if the whole team agree on it, go ahead.
>
> On Tue, Mar 24, 2015 at 12:14 PM, Erik Jan de Wit <edewit at redhat.com>
> wrote:
>
>> How does TOTP stop the zombies from getting your token and using it?
>>
>> On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> I think you missed the point here, it does not works around the problem.
>>> If you make use of linotp or whatever app with HOTP. You generate event
>>> based tokens and this is how the workflow works:
>>>
>>> 1. You generate the event based tokens
>>> 2. Send to the server
>>> 3. Server validates
>>>
>>> In a not so awesome world, this is what could happen
>>>
>>> 1. You generate the event based tokens
>>> 2. Send to the server
>>> 3. Zombies intercept and collect your token, sending the HTTP response
>>> "invalid token". Forcing you to provide more valid tokens.
>>> 4. Zombies make use of your tokens whenever they want.
>>>
>>> So unless we have a good use case scenario rather than just "we use it
>>> internally" and Android team also agreed on it. I don't see HOTP happening.
>>>
>>> On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <edewit at redhat.com>
>>> wrote:
>>>
>>>> Internally we make use of HOTP (via linotp)  for our VPN and it works
>>>> around the problem of the long lived tokens by letting you use it only
>>>> once. The difference in implementation is not so great, it wouldn't take
>>>> long to build it in fact I've already created a PR for the java project.
>>>>
>>>> https://github.com/aerogear/aerogear-otp-java/pull/16
>>>>
>>>> On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno at abstractj.org>
>>>> wrote:
>>>>
>>>>> Good morning Erik, I'm not against the implementation, but I have some
>>>>> considerations.
>>>>>
>>>>> As you might know TOTP is short-lived, which means that they only apply
>>>>> for certain amount of time, while HOTP is long-lived, which means that
>>>>> someone eavesdropping the network could collect several HOTPs and reuse
>>>>> then later.
>>>>>
>>>>> Other thing to keep in mind is how to demo HOTP, at the moment we don't
>>>>> have a server neither bandwidth do implement one.
>>>>>
>>>>> Implement it or not it's up to you, but I would like to make sure that
>>>>> you're aware about the issues with HOTP.
>>>>>
>>>>> On 2015-03-23, Erik Jan de Wit wrote:
>>>>> > Hi,
>>>>> >
>>>>> > I was adding otp support for windows and that started to make me
>>>>> wonder if
>>>>> > it would be nice to add HOTP as well as TOTP for instance our linotp
>>>>> server
>>>>> > uses this. The only difference between the two is that HOTP uses a
>>>>> counter
>>>>> > that is incremented and TOTP is time based. So it would be fairly
>>>>> easy to
>>>>> > implement and for instance on windows there aren't any apps that
>>>>> support
>>>>> > both.
>>>>> >
>>>>> > Wdyt?
>>>>> >
>>>>> > --
>>>>> > Cheers,
>>>>> >        Erik Jan
>>>>>
>>>>> > _______________________________________________
>>>>> > aerogear-dev mailing list
>>>>> > aerogear-dev at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> abstractj
>>>>> PGP: 0x84DC9914
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Cheers,
>>>>        Erik Jan
>>>>
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> --
>>> "The measure of a man is what he does with power" - Plato
>>> -
>>> @abstractj
>>> -
>>> Volenti Nihil Difficile
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>> Cheers,
>>        Erik Jan
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Cheers,
       Erik Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20150324/ef0d80b2/attachment-0001.html 


More information about the aerogear-dev mailing list