Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify reuse of OTP authenticator outputs #1961

Open
jimfenton opened this issue Feb 24, 2020 · 0 comments
Open

Clarify reuse of OTP authenticator outputs #1961

jimfenton opened this issue Feb 24, 2020 · 0 comments
Labels
63B future consideration/work item

Comments

@jimfenton
Copy link
Member

at end of -63B Section 5.1.4.1: "The OTP value associated with a given nonce SHALL be accepted only once."

Of course, the same nonce might be applied to many subscribers (e.g., a timestamp used as a nonce for TOTP authenticators). A strict reading of this requirement might limit the service to authenticating only one user during the validity period (~30 seconds).

It might be good to clarify "...associated with a given nonce/secret combination..."
@jimfenton jimfenton changed the title Clarify reuse of OTP authenticaor outputs Clarify reuse of OTP authenticator outputs Mar 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
63B future consideration/work item
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jimfenton and others