Option to disable 128-bit requirement

Question

Option to disable 128-bit requirement

Closed this issue 2 years ago · 3 comments

Currently, a >= 128-bit secret is enforced. This is probably due to RFC6238.

Some services provide a smaller secret, Discord and PayPal are two examples (80 bits). I understand this is not per RFC6238 specification, but I'd love to support those as well.

Users of prs have discussed this here.

I'd therefore like to see an option to loosen this requirement. Would that be possible?

I'm thinking of TOTP::set_min_bits(80); function, or even a compile time feature to disable the check.

What do you think? I'd be very happy to give this a shot in a PR.

Answer 1 · 2023-01-03T09:30:29.000Z

Mhh I know I previously rejected a similar suggestion. I didn't know Discord and Paypal used smaller secrets, which kinda makes me want to scream into the void.

There would definitely need to be an API change for that. Maybe a _unchecked variant for new?

Answer 2 · 2023-01-03T09:44:56.000Z

which kinda makes me want to scream into the void

Yes!

Good suggestion, a new function should only have minimal effect. Would you merge that if I'd implement it? Should it be behind a feature flag?

I'd be happy to go over my current TOTP database to find other examples.

Answer 3 · 2023-01-03T10:12:03.000Z

I don't think a feature flag would be necessary for that