https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787
--- Comment #6 from David Cook <[email protected]> --- (In reply to Martin Renvoize from comment #4) > Hmm, I'm not so sure about this.. whilst I understand TOTP over SMS delivery > makes sense as SMS is in theory immediate delivery.. Email has lots of > caveats around delivery speed and so it's more common to send an HOTP or > even a simple random string OTP in the email case due to the timeout factor? I agree that a 30 second time window is probably too short for email. I suppose alternatively you could set a longer interval when using email TOTPs. (I did a little bit of a deep dive into Auth::GoogleAuth and it's actually kind of interesting how simple the mathematical mechanism is for establishing time windows for TOTPs.) Another thing we could do is add the range parameter to the verify() function I believe. At the moment, it looks like we're not following the recommendations of rfc6238 to allow additional backwards steps. (Typically, with a TOTP, you can usually use up to 2-3 old codes and still work to allow for clock drift and slow users.) -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
