[Freeipa-devel] Off Topic, was: [PATCH 0017] Add OTP support to ipalib CLI
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Sep 13 22:06:34 UTC 2013
On Sep 13, 2013, at 11:38 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> , ipatokenotpalgorithm
>
> Uses default TOTP we do not support more for now. In future it will be a
> global policy I assume.
This is just me, like the sig says.
I would advocate for HOTP, with a bunch of special processing for token counter regression.
If the token seed and current counter are stolen by a bad guy, and actually used, then at some point the bad guy or the real user are going to attempt an authentication using a value that's "old". This presents an opportunity to detect that the theft took place.
I regard this as a real, useful security feature which is not possible with time-based tokens, provided the verification infrastructure is set up to do the detection, and to take some action when the detection occurs. If the theft is done by a smart-enough adversary, there may be nothing to prevent them from resynchronizing the legitimate copy of the soft-token when they use it, but it still seems like a worthwhile capability. It would detect the most obvious token-theft scenarios.
Obviously, this is out-of-scope for any of your current efforts, but I wanted to throw it in the mix for possible future work.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Freeipa-devel
mailing list