BoringAuth icon indicating copy to clipboard operation
BoringAuth copied to clipboard
verified publisher icon ThinkAlexandria

Arbitrary upper limit to code length?

Open jtomazin opened this issue 7 years ago • 1 comments

I was trying to generate larger TOTP values and noticed that output values are capped at 2^31 bits -- is there a reason for this? The HOTP paper recommends that an easy way to improve security is to just extract more characters from the HMAC hash.

jtomazin avatar Jul 06 '18 04:07 jtomazin

You are correct. I believe it makes sense to allow extracting all of the bits available in the HMAC hash. So if you are using sha256 you can extract up to 24 characters, if you use sha512 you could extract up to 48 characters.

@jtomazin Would this work for you.

YetAnotherMinion avatar Aug 10 '18 19:08 YetAnotherMinion