kratos icon indicating copy to clipboard operation
kratos copied to clipboard
verified publisher icon ory

feat: increase entropy of OTPs generated by code strategy

Open aeneasr opened this issue 1 year ago • 3 comments

Moving forward, OTPs generated by the code strategy will match pattern [0-9a-zA-Z]{8} instead of [0-9]{6}. This increases entropy and makes it easier to defend against reverse brute force attacks.

See https://github.com/ory-corp/cloud/issues/3724

Related issue(s)

Checklist

  • [ ] I have read the contributing guidelines.
  • [ ] I have referenced an issue containing the design document if my change introduces a new feature.
  • [ ] I am following the contributing code guidelines.
  • [ ] I have read the security policy.
  • [ ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
  • [ ] I have added tests that prove my fix is effective or that my feature works.
  • [ ] I have added or changed the documentation.

Further Comments

aeneasr avatar Dec 10 '24 09:12 aeneasr

A test is needed to ensure the legacy code generation still works.

aeneasr avatar Dec 10 '24 09:12 aeneasr

Can we follow up on this to close: https://github.com/ory-corp/cloud/issues/3724?

tricky42 avatar Sep 29 '25 09:09 tricky42

Yes, just need to figure out how to change it without breaking customers' existing implementations - especially custom UIs.

aeneasr avatar Sep 29 '25 09:09 aeneasr