On Sep 13, 2013, at 11:38 AM, Dmitri Pal <d...@redhat.com> wrote:

>> , ipatokenotpalgorithm
> Uses default TOTP we do not support more for now. In future it will be a
> global policy I assume.

This is just me, like the sig says.

I would advocate for HOTP, with a bunch of special processing for token counter 

If the token seed and current counter are stolen by a bad guy, and actually 
used, then at some point the bad guy or the real user are going to attempt an 
authentication using a value that's "old".  This presents an opportunity to 
detect that the theft took place.

I regard this as a real, useful security feature which is not possible with 
time-based tokens, provided the verification infrastructure is set up to do the 
detection, and to take some action when the detection occurs.  If the theft is 
done by a smart-enough adversary, there may be nothing to prevent them from 
resynchronizing the legitimate copy of the soft-token when they use it, but it 
still seems like a worthwhile capability.  It would detect the most obvious 
token-theft scenarios.

Obviously, this is out-of-scope for any of your current efforts, but I wanted 
to throw it in the mix for possible future work.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu

Freeipa-devel mailing list

Reply via email to