authenticator icon indicating copy to clipboard operation
authenticator copied to clipboard

Published 20 hours ago verified publisher icon Sneezry

support 8-digit OTP

Open rmpel opened this issue 7 years ago • 7 comments

Hi

I updated your project to support 8-digit OTP

If you like, you can merge this :)

rmpel avatar Aug 12 '17 13:08 rmpel

Thanks @rmpel !

The code looks good, but could you please provide 8-digit OTP application example? Any website or software requires 8-digit OTP?

Sneezry avatar Aug 13 '17 14:08 Sneezry

I could, but that would give you access to my webapp.

I will give you an example, though.

the following secret is valid, but unused (as far as I can tell)

otpauth://totp/WordPress:MyBlog?secret=MYECVRXJLE7LEJ3Y&issuer=WordPress

will, should and does generate 6-digit OTP. This works in all OTP apps I have encountered.

the otp spec allows for 6 and 8 digit codes

otpauth://totp/WordPress:MyBlog?digits=8&secret=MYECVRXJLE7LEJ3Y&issuer=WordPress

should generate an 8 digit code. This code is simply 2 extra digits prefixed to the 6 digit code.

this secret generates 948575 for example in 6 digit mode and 34948575 in 8 digit mode. Easy verification that the 8-digit generator is generating a valid code.

rmpel avatar Aug 14 '17 08:08 rmpel

If need be, I can set-up an empty WordPress with an 8-digit OTP for you to test it.

With the above URIs you can generate QR-codes and scan those with Google Authenticator on iOS. You will see the last 6 digits identical to the 6-digit code. That's all the verification you need as that is the only difference.

rmpel avatar Aug 14 '17 08:08 rmpel

Thanks @rmpel .

I mean could you provide some service name requires 8-digit OTP. Such as you mentioned, wordpress. Is it a famous plug-in on wordpress? I'd like to know how many people require this feature.

Sneezry avatar Aug 14 '17 09:08 Sneezry

I have yet to encounter a publicly available app with 8-digit OTP. I have been (and still am) developing OTP two factor auth for all websites our company manages in order to increase it's security. As I was comparing existing solutions against the OTP specifications, I discovered that although 6 digit is the default and most used, the OTP specs allow for 8 digits as well. Being a nerd with OCD I had an "if it's allowed, I need it to work" moment.

I generated a QR code with "digits=8" in the URI and lo-and-behold, Google Authenticator for iOS generated 8 digit codes. I then proceeded to alter our software (easy fix) to validate 8-digit codes.

Then I registered the QR code in as many apps as I can get my hands on.

I tested 6 iOS app, one of them is 1Password, all passed I tested Microsoft Authenticator (Windows Phone, Google does not want to compile their app for WinPhone). MS Auth FAILED

On desktop, there aren't many options. A few Browser extentions/plugins/addons, your (awesome) chrome extention being one of them, all failed.

1 Password Passed on the desktop on macOS, but failed on Windows.

I see this as a chicken and egg problem; if only a few apps/extentions support 8-digit codes, then software implementing OTP will not likely switch to 8 and stay with 6.

As the specification says 6 or 8, then the OCD Nerd in me says it should be implemented for 6 and 8 :)

rmpel avatar Aug 14 '17 10:08 rmpel

OK, that make sense, I will merge this PR after I fully test :-D

Sneezry avatar Aug 14 '17 13:08 Sneezry

The spec also allows for stronger hashes, such as SHA256, and different temporal windows, such as 60 seconds. Should Authenticator support these too? In the real world, Feitian's hardware tokens default to 60 seconds (but they can provide 30 seconds by request) for example.

Brianetta avatar Jan 31 '18 09:01 Brianetta