|
|
|
|
|
|
by throw0101a
1642 days ago
|
|
|
> Its a shame the TOTP standard does nor support variable code length, 8 symbols seems to be better for high value accounts but still usable It does. TOTP (RFC 6238) builds off of HOTP (RFC 4226), which states (§5.3): > Implementations MUST extract a 6-digit code at a minimum and possibly 7 and 8-digit code. Depending on security requirements, Digit = 7 or more SHOULD be considered in order to extract a longer HOTP value. * https://datatracker.ietf.org/doc/html/rfc4226#section-5.3 There is no inherent limitation in the protocol on how many digits to use (AFAICT): the pseudo-code examples have the number of digitals desired as a parameter in each function. Further, HOTP even discusses (§E.2) is to use (six+) alphanumeric characters ([A-Za-z0-9]) instead of just digits ([0-9]), though digits are "desirable" for easier entry. |
|
|