My investigations show that many common mobile authenticator apps accept QR codes for hash algorithms, periods and number of digits they don’t support. Varying the number of digits is not mentioned in the TOTP standard apart from in the Java reference implementation, but it’s mentioned as an extension in the underlying HMAC-Based One-Time Password Algorithm (HOTP) standard ( RFC 4226) in Appendix E.1:Ī simple enhancement in terms of security would be to extract more digits from the HMAC-SHA-1 value.įor instance, calculating the HOTP value modulo 10^8 to build an 8-digit HOTP value would reduce the probability of success of the adversary from sv/10^6 to sv/10^8. The digits parameter may have the values 6 or 8, and determines how long of a one-time passcode to display to the user. The HMAC-SHA-1 hash function is the default but HMAC-SHA-256 and HMAC-SHA-512 are also allowed. The QR code encodes text on the so called Key URI format as per a Google Authenticator wiki article: TOTP standard recommends a default time-step size of 30 seconds. The de-facto standard is to transfer TOTP parameters including the secret (key) using a QR code.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |