Secret length for Google Authenticator MFA

Question

Secret length for Google Authenticator MFA

Closed this issue 2 years ago · 2 comments

Hello,
The current version of Passbolt generates the secret key for TOTP MFA (called Google Authenticator) with the length of 2048 bits (410 base32 characters). While this works fine with most apps, for some apps and specifically for hardware tokens this causes issues.

The RFC recommends the seed length to be 160 bits ( RFC 4226 R6). Also, having this value longer does not increase security at all.

Is there a way to modify this length?

Thanks

Answer 1 · 2023-01-05T09:15:57.000Z

Hello,

This is currently not configurable. I've created an issue PB-22019 to make it so via environment variables as follow:

Add environment variable under config passbolt.plugins.multifactorAuthentication.totp.secretLength and ENV variable PASSBOLT_PLUGINS_MFA_TOTP_SECRET_LENGTH (default 256).
Replace hardcoded value under MfaOtpFactory: trim(Base32::encode(random_bytes(256)), '='); .

Current library default is set to 32 bytes (we should have stick with that..), but with the improvement you should be able to set it to 20 bytes (160 bits).

Cheers,

Answer 2 · 2023-01-25T11:10:05.000Z

Howdy,

Thanks for reporting this @token2.
Just to let you know that this task (PB-22019) is now done and that it will be shipped with the next release, namely v3.10.0.

Cheers