4 digit OTP code
joel-leandev opened this issue · 3 comments
Is there any option to generate a 4 digit code only?
Using a 4 digit code is not advisable. The minimum is 6, and there is an option for 8.
If you want 4 digits, you could simply compare the output and just look at the first 4, but again, I'd strongly advise against that.
May I ask why is 4 digit not advisable? To prevent brute forcing?
The standard is TOTP which changes every 30 seconds. Trying 10'000 combinations in 30 seconds with a fast connection is much more doable then 1'000'000 combinations. Also you have a higher chance of randomly guessing the right one. Lastly, you should always have something in place to prevent bruteforcing OTP entries anyways, only allow them 3 tries within 30 seconds or the like. And of course disallow a used OTP for whatever window of checking you have (usually one code behind and ahead to allow for small time drifts) or it wouldn't be a ONE time password :)
6 digits is pretty common and is within the realm of a user easy being able to remember and enter. Lots people have issues if they have to enter 8 digits, and have to look twice to get it right, which is why its less commonly used.
Hope this answers your questions and helps you make good decisions to improve your security :)