On Sep 13, 2013, at 11:38 AM, Dmitri Pal <d...@redhat.com> wrote: >> , ipatokenotpalgorithm > > Uses default TOTP we do not support more for now. In future it will be a > global policy I assume.
This is just me, like the sig says. I would advocate for HOTP, with a bunch of special processing for token counter regression. If the token seed and current counter are stolen by a bad guy, and actually used, then at some point the bad guy or the real user are going to attempt an authentication using a value that's "old". This presents an opportunity to detect that the theft took place. I regard this as a real, useful security feature which is not possible with time-based tokens, provided the verification infrastructure is set up to do the detection, and to take some action when the detection occurs. If the theft is done by a smart-enough adversary, there may be nothing to prevent them from resynchronizing the legitimate copy of the soft-token when they use it, but it still seems like a worthwhile capability. It would detect the most obvious token-theft scenarios. Obviously, this is out-of-scope for any of your current efforts, but I wanted to throw it in the mix for possible future work. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel