Comments (7)
The input
parameter has different meaning depending on the OTP type:
- With TOTP, it corresponds to the timestamp
- With HOTP, it corresponds to the counter
The window
parameter allows to test counters/periods before or after the current counter/timestamp.
For TOTP, you are right it can be considered as a gross adjustement.
I think that obtaining the same result using the same parameter could be more elegant, but this is my personal opinion.
If you don't agree I will implement the solution as you suggested.
I agree with you. Such leeway seems better that a hard windows which may induce security issues.
As it will change the behaviour of the parameter, I don't think it will be implement in the current major branch. But could be done in a new major one (v11).
from otphp.
Hi @blackhole997,
What you are describing here looks possible with the current method arguments by passing a custom timestamp.
$isVerified = $totp->verify($otp);
if (!$isVerified) {
$isVerified = $totp->verify($otp, time()-15);
}
//Now $isVerified can be true even with an OTP that expired less than 15 seconds before
from otphp.
Hi @Spomky,
many thanks for the reply.
What you suggests surely works - I didn't think about doing it in that way.
So, tell me if I'm wrong:
- The
window
parameter should be used for 'gross' adjustements - The
input
parameter should be used for more accurate adjustments.
I think that obtaining the same result using the same parameter could be more elegant, but this is my personal opinion.
If you don't agree I will implement the solution as you suggested.
from otphp.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from otphp.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from otphp.
Hi @blackhole997,
This will be part of the v11.
The window
parameter will change and this will be considered as a time drift feature.
The new behavior will fix this but also prevent misuse of the window parameter.
Can you tell me if this new v11 is what you expected here?
Please refer to the changes in #152 and in particular these lines.
Regards.
from otphp.
PR #152 is now merged
from otphp.
Related Issues (20)
- Not identifying the service HOT 2
- question: what data to use for getting TOTP HOT 2
- PHP 8 HOT 2
- new feature made (getExpiration) HOT 4
- OTP verification failed if set custom period HOT 6
- Make setSecret() public HOT 4
- add issuer to getQrCodeUri HOT 1
- Invalid links in the Readme file HOT 1
- TOTP -> verify doesn't seem to be correctly implemented to include leeway HOT 1
- Dependency issue with thecodingmachine/safe HOT 4
- `OTPInterface::create(null|string $secret = null)` is prone to misuse HOT 3
- Missing generate static method in TOTP.php HOT 2
- invalid OTP URI HOT 9
- PSR Clock HOT 3
- TOTP code almost always verifies false HOT 3
- Migration path should be clear for the leeway/window HOT 5
- Authenticator app compatibility HOT 1
- OTPHP not being loaded via autoload HOT 2
- Verification fails with documentation defaults? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from otphp.