-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOTP extension #26
Comments
You mean the counter-based OTP? I was considering it but wasn't sure if anyone actually needs it. Your request does prove that it's indeed being used somewhere. I have no way of testing it, but I could provide an implementation which would produce the same output as SailOTP. |
Am 02.10.2021 um 02:16 schrieb Slava Monich:
You mean the counter-based OTP? I was considering it but wasn't sure
if anyone actually needs it. Your request does prove that it's indeed
being used somewhere.
I have no way of testing it, but I could provide an implementation
which would produce the same output as SailOTP.
Hi Slava,
counter based OTP is a prerequisite for me to change from SailOTP to
foilauth.
It's not for a public service, and I can't grant you a test user
unfortunately.
I'm using SailfishX on XperiaX. And I'm using different phones, so I
need to share the OTP tokens.
Like mentioned, due to a security policy of one of my customers, I'm
forced to use counter/HOTP.
I never read through the RFCs, but the HOTP implementation of SailOTP
works, including sharing the token
(by simple filesystem based coping some files I don't remember right now).
Actually HOTP was chosen over TOTP by that guys to prevent
sharing/leaking the token.
With your symmetric encoded key based encrytion, it should still be
possible _for me_ to duplicate the token for another device/backup, but
not to leak, so I'm not violating customers policy that much any more.
Would send 100€ for your efforts. Just a small share of what it's
worth, but maybe it covers the conversation time with me :-)
By paypal?
Thanks,
-harry
|
You've got me interested. I've coded a prototype of HOTP support over weekend. If you're willing to give it a try, you can pull rpms out of my test project on Sailfish OS public OBS (armv7hl, aarch64). Further development is probably going to be on hold until next weekend, you have some time to provide a feedback. I appreciate your willingness to make a donation. I will pass for now, please send this 100€ to your favorite open source project)) |
Thank you very much, highly appreciated! Yet I have to find how to reply to sender-only via GH... For the donation: |
Regarding the donation, I'd vote for openrepos. Supporting a platform, which allows developers to cooperate, is more important than supporting individual people, IMO. As long as people have a paid daily job)) And yes, OBS is a service provided by Jolla to the community. I use it to make clean reproducible builds. It can be shut down at any time, though. If you have a token as a QR code which doesn't get scanned, try scanning it with Code Reader and see what's in there. Don't blindly copy/paste its contents though, because it contains your secret key in one form or another. |
Will send 100 bucks to openrepos, early next week, mentioning slava as donator if not forbidden to do so. One general suggestion/question, regarding foil key's passphrase: If this is generally impossible, I'd very much like foilauth to get a 'ignore termination-gesture' flag - user switchable maybe. I guess it's even more unlikely that there's a hook for such a feature (on per-app basis). Thanks a lot, beta is working great for me! |
Yeah, I need to check how SailOTP stores its HOTP codes and import those too. All 4 pulley menu items are already used by Foil Auth main view, and that's a usability limit for landscape orientation. Perhaps, I should consider replacing "Lock" with "Organize" (like it's done in Foil Notes). However, I was planning to replace "Lock" with "Import" which would import multiple tokens at once from BTW, when the device gets locked by inactivity timeout, quickly unlocking it (within 20 sec or so) keeps Foil key unlocked. I may consider other locking/unlocking options when I add settings UI. |
Didn't know there's a SDK/hard/vendor limit... although some make sense, e.g. 4 pulley-lines for landscape (which is the orientation I use 99% the time), I actually don't like such limits. |
I have published version 1.0.19 which supports HOTP. Let's start with that, other improvements will come later. |
Thanks a lot! |
Just for completeness: When adding HOTP token by showing QR from Foil Auth store, the scanned token reads the correct counter state. On a 2nd step, a comperhensive re-locking setting would be fantastic - currently I don't know what/how the re-lock is triggered. Most likely by device lock. Selectable timeout was nice, aditionally selctable if counter starts device-lock dependent or indipendently after last Foil-usage. Thanks, |
Hello,
while SailOTP does a good job, I'd like to offer a donation resp. funding share for adding HOTP.
Anybody else willing to support this extension, with code or money?
Existing tokens should be importable from SailOTP.
Thanks
The text was updated successfully, but these errors were encountered: