Initial release - testes with Password S-CRIB and Google Authenticator, supports HOTP OATH wit lengths of 6, 7, and 8. Secrets are stored encrypted with a unique key and AES256. Secrets can be entered as hex strings or scanned from QR codes.
Fixing a typo in a string formatting and the maximum length of the OTP secret (now it is indeed 64 bytes).
Showing the secret encoded in the QR code so that it can be typed to a mobile phone app - base32 and hex formats.
User ID in the QR code now shows login name and URL of the blog.
Removing the length of OTP codes - this is now computed automatically from the first OTP code.
Adding a couple of cryptographic keys for future security monitoring.
Extending database for new token types - TOTP and MOTP.
Fixing a bug where the version is not correctly stored in the WP options.
No actual changes to the code.
The internet is indeed a toxic place. The timeout policy did not work as it locked-out accounts far too often. A new policy has been implemented:
When a password is shorter than 7 characters or on the list of weak passwords (weak_passwords.txt), user has to enter it twice.
When there have been at least 5 (for 6 digit OTP) or 10 (7 & 8 digit OTP) unsuccessful login attempts, users have to enter additional OTP code.
When entering an additional OTP code, it would accepted even when the PIN is missing.
Simplifying the administration form.
Update of weak passwords.
Enforcing the minimum length of the secret to 80 bits (common is 160 bits, but Google uses 80 bits only).
Window (the number of acceptable values around expected time <-D,+D> / counter <0,D>) is set to D=2 for OTP long 6 digits and D=4 for OTP long 8 digits.
We attempt to identify the size of the time window for TOTP from values 30 seconds, 60 seconds, and 90 seconds.
If OTP is left empty (in the administration form), only PIN and counter are updated.
Fixing bug and enabling editing of the counter for HOTP.
Updating database queries to get rid of PHP warnings.
Update of screen shots.
Renaming to makes sense as the password policy has been changed.
A bit of code cleaning.
Improvement of logging to troubleshoot install / update problems.
Adding contact / support information in the plugin's settings page.
Fixing a bug for plugin update (previously not called without activation).
Various code cleaning.
Added software RNG generator to resolve problems with PRNGs provided by operating systems.
Added a new module for SHA256 computation.
The plugin tries to send installation logs to our server for future support requests.
Experimental push of encryption keys to plugin instances - test for new future services.
Got rid of "1 unexpected character read" warning.
Fixed issues with RNG, when no hardware random generator is not available.
Improved use of RNG in Windows.
Thank you all for feedback with problems!
Requires: 3.0 or higher Compatible up to: 3.9.0 Last Updated: 2014-5-12 Downloads: 1,206