Option to disable 128-bit requirement #46
Comments
Closed
|
Mhh I know I previously rejected a similar suggestion. I didn't know Discord and Paypal used smaller secrets, which kinda makes me want to scream into the void. There would definitely need to be an API change for that. Maybe a _unchecked variant for new? |
Yes! Good suggestion, a new function should only have minimal effect. Would you merge that if I'd implement it? Should it be behind a feature flag? I'd be happy to go over my current TOTP database to find other examples. |
|
I don't think a feature flag would be necessary for that |
Fingel
added a commit
to Fingel/ripasso
that referenced
this issue
Sep 16, 2024
totp-rs is strictly RFC6238 compliant. This is a good thing, but the reality is many sites/apps are still using 80 bit secrets for TOTP. These include Github, Discord, Paypal, among others. The author of totp-rs added a function `from_url_unchecked` to address this in this issue: constantoine/totp-rs#46. I suggest we use it here so that ripasso can be used practically for totp.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, a >= 128-bit secret is enforced. This is probably due to RFC6238.
Some services provide a smaller secret, Discord and PayPal are two examples (80 bits). I understand this is not per RFC6238 specification, but I'd love to support those as well.
Users of
prshave discussed this here.I'd therefore like to see an option to loosen this requirement. Would that be possible?
I'm thinking of
TOTP::set_min_bits(80);function, or even a compile time feature to disable the check.What do you think? I'd be very happy to give this a shot in a PR.
The text was updated successfully, but these errors were encountered: