Require PIN for registering an hotp credential #114
Conversation
If the PIN is not set, configure it. Nitrokeys prior to Nitrokey/trussed-secrets-app#114 will ignore the PIN. It might surprise users that have not set a PIN in the past that a PIN is now set. Nitrokeys with firmware after Nitrokey/trussed-secrets-app#114 will accept expect this behaviour from hotp-verification
If the PIN is not set, configure it. Nitrokeys prior to Nitrokey/trussed-secrets-app#114 will ignore the PIN. It might surprise users that have not set a PIN in the past that a PIN is now set. Nitrokeys with firmware after Nitrokey/trussed-secrets-app#114 will accept expect this behaviour from hotp-verification
sosthene-nitrokey
force-pushed
the
require-pin-reverse-hotp
branch
from
674b981 to
89d7bde
Compare
|
@sosthene-nitrokey can you link to parallel work for hotp-verification and Heads code needed to deal with this? |
|
My testing show registering a TOTP secret still requires no PIN to be set. |
|
The use case is different and leads to different threat models. Reverse HOTP is used so that the key can verify that the code sent to it is correct. Being able to create an HOTP credential could allow verification against a newly created credential instead of the real one. On the other hand TOTP is used to authenticate the key to a service. Being able to create false credential would only mean that the key would not be able to be authenticated, leading to an explicit failure, instead of authentication working when it shouldn't. You should not that it it also not possible to create a pin-protected without first presenting the PIN. |
|
To be precise, HOTP and TOTP credentials are handled identically. What is different and affected by this PR is Reverse HOTP, sometimes shortened to HOTP. |
Motivation: Nitrokey/nitrokey-hotp-verification#30