[aerogear-dev] OTP
Jay Balunas
jbalunas at redhat.com
Tue Mar 24 14:19:36 EDT 2015
At this point in time, I don't think adding more functionality around OTP
is a high priority. For now lets create some jira's around this, and
revisit as we discuss the overall future security plans.
Wdyt?
On Tue, Mar 24, 2015 at 1:01 PM, Erik Jan de Wit <edewit at redhat.com> wrote:
> I agree that TOTP in general is more save, but the difference is marginal
> TOTP is based off HOTP and why not support both? We could add a note saying
> that we would encourage users to use TOTP instead, but what if that have to
> use HOTP because they have a linotp server like we do. It's still more
> secure then a normal password.
>
> On Tue, Mar 24, 2015 at 5:52 PM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> Once TOTPs are short-lived, into other words, time based. An attacker
>> must be more clever.
>>
>> Nothing is impossible, but TOTP is pretty much more safe. If this is
>> something that we should support, because Keycloak have it implemented,
>> cool. Otherwise, I don't see why we really need it.
>>
>> This is my opinion, if the whole team agree on it, go ahead.
>>
>> On Tue, Mar 24, 2015 at 12:14 PM, Erik Jan de Wit <edewit at redhat.com>
>> wrote:
>>
>>> How does TOTP stop the zombies from getting your token and using it?
>>>
>>> On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <bruno at abstractj.org>
>>> wrote:
>>>
>>>> I think you missed the point here, it does not works around the
>>>> problem. If you make use of linotp or whatever app with HOTP. You generate
>>>> event based tokens and this is how the workflow works:
>>>>
>>>> 1. You generate the event based tokens
>>>> 2. Send to the server
>>>> 3. Server validates
>>>>
>>>> In a not so awesome world, this is what could happen
>>>>
>>>> 1. You generate the event based tokens
>>>> 2. Send to the server
>>>> 3. Zombies intercept and collect your token, sending the HTTP response
>>>> "invalid token". Forcing you to provide more valid tokens.
>>>> 4. Zombies make use of your tokens whenever they want.
>>>>
>>>> So unless we have a good use case scenario rather than just "we use it
>>>> internally" and Android team also agreed on it. I don't see HOTP happening.
>>>>
>>>> On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <edewit at redhat.com>
>>>> wrote:
>>>>
>>>>> Internally we make use of HOTP (via linotp) for our VPN and it works
>>>>> around the problem of the long lived tokens by letting you use it only
>>>>> once. The difference in implementation is not so great, it wouldn't take
>>>>> long to build it in fact I've already created a PR for the java project.
>>>>>
>>>>> https://github.com/aerogear/aerogear-otp-java/pull/16
>>>>>
>>>>> On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno at abstractj.org>
>>>>> wrote:
>>>>>
>>>>>> Good morning Erik, I'm not against the implementation, but I have some
>>>>>> considerations.
>>>>>>
>>>>>> As you might know TOTP is short-lived, which means that they only
>>>>>> apply
>>>>>> for certain amount of time, while HOTP is long-lived, which means that
>>>>>> someone eavesdropping the network could collect several HOTPs and
>>>>>> reuse
>>>>>> then later.
>>>>>>
>>>>>> Other thing to keep in mind is how to demo HOTP, at the moment we
>>>>>> don't
>>>>>> have a server neither bandwidth do implement one.
>>>>>>
>>>>>> Implement it or not it's up to you, but I would like to make sure that
>>>>>> you're aware about the issues with HOTP.
>>>>>>
>>>>>> On 2015-03-23, Erik Jan de Wit wrote:
>>>>>> > Hi,
>>>>>> >
>>>>>> > I was adding otp support for windows and that started to make me
>>>>>> wonder if
>>>>>> > it would be nice to add HOTP as well as TOTP for instance our
>>>>>> linotp server
>>>>>> > uses this. The only difference between the two is that HOTP uses a
>>>>>> counter
>>>>>> > that is incremented and TOTP is time based. So it would be fairly
>>>>>> easy to
>>>>>> > implement and for instance on windows there aren't any apps that
>>>>>> support
>>>>>> > both.
>>>>>> >
>>>>>> > Wdyt?
>>>>>> >
>>>>>> > --
>>>>>> > Cheers,
>>>>>> > Erik Jan
>>>>>>
>>>>>> > _______________________________________________
>>>>>> > aerogear-dev mailing list
>>>>>> > aerogear-dev at lists.jboss.org
>>>>>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> abstractj
>>>>>> PGP: 0x84DC9914
>>>>>> _______________________________________________
>>>>>> aerogear-dev mailing list
>>>>>> aerogear-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Cheers,
>>>>> Erik Jan
>>>>>
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> --
>>>> "The measure of a man is what he does with power" - Plato
>>>> -
>>>> @abstractj
>>>> -
>>>> Volenti Nihil Difficile
>>>>
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Erik Jan
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>>
>> --
>> "The measure of a man is what he does with power" - Plato
>> -
>> @abstractj
>> -
>> Volenti Nihil Difficile
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Cheers,
> Erik Jan
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20150324/1991a9fb/attachment.html
More information about the aerogear-dev
mailing list