> Its a shame the TOTP standard does nor support variable code length, 8 symbols seems to be better for high value accounts but still usable
It does. TOTP (RFC 6238) builds off of HOTP (RFC 4226), which states (§5.3):
> Implementations MUST extract a 6-digit code at a minimum and possibly 7 and 8-digit code. Depending on security requirements, Digit = 7 or more SHOULD be considered in order to extract a longer HOTP value.
There is no inherent limitation in the protocol on how many digits to use (AFAICT): the pseudo-code examples have the number of digitals desired as a parameter in each function.
Further, HOTP even discusses (§E.2) is to use (six+) alphanumeric characters ([A-Za-z0-9]) instead of just digits ([0-9]), though digits are "desirable" for easier entry.
True, but the problem is I do not believe any apps implementing TOTP allow for codes over six numerical digits. So the real world standard (Google Authenticator) does not support it.
You want your secret to have a secret? Several apps that provide time based one time password storage/management can also be secured with bio-metrics, pins or passwords (Aegis, MS Authenticator). Are you specifically thinking physical tokens only?
What do you mean by that? The TOTP standard doesn't specify how (if at all) the client is secured. Besides, the one-time code is used in addition to a password, not as a substitute for one.
It does. TOTP (RFC 6238) builds off of HOTP (RFC 4226), which states (§5.3):
> Implementations MUST extract a 6-digit code at a minimum and possibly 7 and 8-digit code. Depending on security requirements, Digit = 7 or more SHOULD be considered in order to extract a longer HOTP value.
* https://datatracker.ietf.org/doc/html/rfc4226#section-5.3
There is no inherent limitation in the protocol on how many digits to use (AFAICT): the pseudo-code examples have the number of digitals desired as a parameter in each function.
Further, HOTP even discusses (§E.2) is to use (six+) alphanumeric characters ([A-Za-z0-9]) instead of just digits ([0-9]), though digits are "desirable" for easier entry.