Decimal time window about otphp HOT 7 CLOSED

The input parameter has different meaning depending on the OTP type:

• With TOTP, it corresponds to the timestamp
• With HOTP, it corresponds to the counter

The window parameter allows to test counters/periods before or after the current counter/timestamp.
For TOTP, you are right it can be considered as a gross adjustement.

I think that obtaining the same result using the same parameter could be more elegant, but this is my personal opinion.
If you don't agree I will implement the solution as you suggested.

I agree with you. Such leeway seems better that a hard windows which may induce security issues.
As it will change the behaviour of the parameter, I don't think it will be implement in the current major branch. But could be done in a new major one (v11).

from otphp.

Hi @blackhole997,

What you are describing here looks possible with the current method arguments by passing a custom timestamp.

$isVerified = $totp->verify($otp);
if (!$isVerified) {
    $isVerified = $totp->verify($otp, time()-15);
}

//Now $isVerified can be true even with an OTP that expired less than 15 seconds before

from otphp.

Hi @Spomky,
many thanks for the reply.

What you suggests surely works - I didn't think about doing it in that way.

So, tell me if I'm wrong:

• The window parameter should be used for 'gross' adjustements
• The input parameter should be used for more accurate adjustments.

I think that obtaining the same result using the same parameter could be more elegant, but this is my personal opinion.
If you don't agree I will implement the solution as you suggested.

from otphp.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from otphp.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from otphp.

Hi @blackhole997,

This will be part of the v11.
The window parameter will change and this will be considered as a time drift feature.
The new behavior will fix this but also prevent misuse of the window parameter.

Can you tell me if this new v11 is what you expected here?
Please refer to the changes in #152 and in particular these lines.

Regards.

from otphp.

PR #152 is now merged

from otphp.