Feature Request: Make the One Time Password code configurable/extensible

[jakeswenson]

I am very interested in changing the default time step of the code generating One Time Passwords (OTPs) from 3 minutes to 30 seconds. This is because there are apps out there that are using that time step (and is the recommended time step by the RFC)

I have started the work here: https://github.com/jakeswenson/Identity/tree/feature/abstracting-one-time-passwords-into-interfaces

If there is interest in this, I can submit a pull request after my CLA is processed.

[HaoK]

If you are only interested in configuring the time step, would it be sufficient for us to expose that in an options setting for our implementation? We certainly could expose interfaces for this like you are heading, but I'm not sure we really need that complexity if our implementation is good enough 95% of the time. Custom implementations already can be plugged in via the IUserTokenProvider.

That said, we haven't really revisited any of these designs for V3 yet, so @divega @blowdart @rustd we should review this stuff and see if we want to tidy anything up...

[jakeswenson]

@HaoK an options may work nicely, yes. also something to control the number of digits would be nice. My main goal is having the ability to use TOTP from my authenticator app. I think that'd be a nice 2fa scenario to hit.

[jakeswenson]

To be clear, there are a couple of things to note about the current OTP code.
Right now it's tied to 3 minute timesteps with a fixed skew of 2 steps either side. That mean there is a total of 15 minutes where the one-time password is valid...

There are three main 2FA options:

• Email (3 minutes seems reasonable here)
• SMS (3 minutes, for 15 minutes total window seems too big)
• Authenticator apps (30 second timestep required, total window for allowed skew should be configurable, but i would think 0-1 time step seems reasonable. Should consult the RFC for advice)

I think we need to be able to configure a OTP provider per type of 2FA verification, each having its own options.

[blowdart]

One per provider seems fair.

[HaoK]

Not going to happen this week, moving to beta 7

[jakeswenson]

Is there a plan for this to be in the RTM? Would it be ok if i try and tackle this to help get this done?

Thanks!

[HaoK]

Go for it, submit a PR!

[HaoK]

Its on my list of things to do, but that list appears to be growing faster than I'm able to finish things lately

[HaoK]

So we added the ability to provide a specific token provider instance which we hope is enough to allow you to configure things, if this isn't enough, we can consider more improvements in the future.