Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possibly avoid O's in the TOTP seed provided to the user #36

Open
forevermatt opened this issue Dec 20, 2017 · 2 comments
Open

Possibly avoid O's in the TOTP seed provided to the user #36

forevermatt opened this issue Dec 20, 2017 · 2 comments

Comments

@forevermatt
Copy link
Contributor

Since the "shared secret" (aka. seed) that we provide (in case the user can't scan the QR code) is base32-encoded, it can contain any capital letter as well as the numbers 2 through 7.

Unfortunately, the capital letter O can be hard to distinguish from a zero, even when using fixed-width fonts. And since the seed string will never contain a zero, you won't get the benefit of seeing an O and a 0 next to each other in order to be able to tell the difference.

This is certainly an edge case, since most of the time people will be scanning a QR code. However, if it's not too much trouble, what if we simply avoided using any seed values that contain an O?

That would effectively reduce the number of possible values (assuming our seed is 16 characters long) from 32^16 down to 31^16, but that's still a very large number of possible seeds. With any kind of rate-limit protection at all, it seems like a negligible increase in the chances of an attacker compromising your TOTP by brute force.

@devon-sil
Copy link

I'm not certain the status of this, however, a simpler solution is to make the numbers stand out from letters. (different color, underline, big arrow pointing to it saying it is a number, etc)

@forevermatt
Copy link
Contributor Author

I'm not certain the status of this, however, a simpler solution is to make the numbers stand out from letters. (different color, underline, big arrow pointing to it saying it is a number, etc)

I like your idea of using a different color for numbers. That seems like a better solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants