Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestions (mostly) for mOTP accounts - comparison with DroidOTP and Draytek routers settings #1231

Open
mundodisco-argentina opened this issue Dec 11, 2024 · 1 comment
Open

Suggestions (mostly) for mOTP accounts - comparison with DroidOTP and Draytek routers settings #1231

mundodisco-argentina opened this issue Dec 11, 2024 · 1 comment
Labels
feature New feature

Comments

@mundodisco-argentina
Copy link

Hi Jamie,
I work as infrastructure IT support and came across Draytek-brand routers, which, for VPN, have the option to use mOTP (not TOPT or HOPT).
Stratum and DroidOTP are the only apps in Play Store I could find (and believe me, I downloaded and tried dozens), that support mOTP. Most complain with the format / length of the secret code, or do not ask for PIN (and so, the generated OTP does not work as a valid credential).

Your app does support, indeed, and works with these routers. However, there are a few suggestions I would like to consider:

  1. First of all, your app asks for the PIN to be entered once, when you create the account, along with the (long) secret code. However, DroidOTP has a better approach, as it asks the PIN to the user each time before showing the OTP code. This is an additional security layer, as if you "find" the phone, you cannot have a valid OTP code as you wouln't know the PIN to enter. However, I should put this as "optative" (for some "kind of problematic users"). I mean, if you do not enter a PIN when you create the account, the app should ask it each time before generating OTP codes.

  2. The time to regenerate the OTP code should be selectable. For instance, DroidOTP lets you choose between 10 and 60 seconds (in periods of ten secs). Perhaps just with 30 and 60 would be enough, though. But certainly, just 30 seconds is a bit annoying for some users.

  3. Last but not least, regarding PIN for mOPT connections. Your app just lets you enter a PIN of 4 digits. Draytek routers allow to enter between 4 and 7 digits (only numbers). Of course, as I have the possibility of set up these routers myself, I put just 4 numbers. But if they were already set up with a longer PIN, I wouldn't have had the chance to user your app (DroidOTP app allows to select -when you create or edit the account- between digit-only PINs and alphanumeric PINS -apparently, without limitation-, and virtual keyboard changes accordingly).
@mundodisco-argentina mundodisco-argentina added the feature New feature label Dec 11, 2024
@jamie-mh
Copy link
Member

Hi @mundodisco-argentina

First of all, your app asks for the PIN to be entered once, when you create the account, along with the (long) secret code.

This is by design in order to make the MOTP codes behave like TOTP codes since Stratum is not a dedicated MOTP app. I found that entering a pin each time didn't add any security benefit since the database can be locked with a password + biometrics.

The time to regenerate the OTP code should be selectable.

Alright, not a problem.

Your app just lets you enter a PIN of 4 digits.

The (seemingly) official spec says that it uses "the 4-digit PIN that a user enters". Is there any other reference to how many or few digits/letters should be allowed in a pin?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jamie-mh @mundodisco-argentina