WordPress.org

Ready to get started?Download WordPress

Forums

Google Authenticator
[resolved] Feature requests: changing time period, entering own secret (7 posts)

  1. heypete
    Member
    Posted 1 year ago #

    Hi,

    I have a Feitian c200 OATH-compatible token but it only generates new codes every 60 seconds instead of the more common 30 second interval.

    The current plugin code computes the current code using the current unix time modulo 30 seconds:
    $tm = floor( time() / 30 );

    I was able to get my token to work by changing the plugin code to:
    $tm = floor( time() / 60 );

    This works well, but I found that I need to have "relaxed mode" enabled or else it won't work at all -- it keeps saying the code is invalid. I'm not entirely sure why this is as the relaxed mode only works on "periods" of time rather than on a specific number of seconds -- any ideas?

    It would be nice to have the plugin have an option to select between 30 second and 60 second time periods (with the default being 30 seconds and a brief note explaining that the 30 second period is more common but the 60 second period is available for certain tokens).

    Additionally, it would be nice if there were an option for the user to input their own secret, such as one provided with a hardware token. I've been editing the database entry directly to enter my own secret (thanks for making the necessary database entries clear and understandable: this made it trivial to find where to make the appropriate change) but it'd be nice to have an option in the UI to do so. Perhaps have the option disabled by default to prevent users from entering some trivial or illegal input, but still having the option available for users who are sure they want to input their own secret?

    Keep up the good work!
    -Pete

    http://wordpress.org/extend/plugins/google-authenticator/

  2. Henrik Schack
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Heypete
    Sorry, but I really don't see the point of cluttering up the userinterface in order to support some hardware token, when there is a completely free app from Google available.

    I have intentions of turning this plugin into some switch army knife plugin supporting multiple ways of authenticating.
    The Google Authenticator app seems to be the right choice, as you probably are aware, more and more services are adapting the Google Authenticator app these days.

    Best regards
    Henrik Schack

  3. heypete
    Member
    Posted 1 year ago #

    Hi Henrik,

    Yes, there is a free app from Google, but not everyone has their smartphones (or compatible devices) with them at all times. Hardware tokens also offer a degree of isolation compared to smartphones: the token has no interface with the outside world and so is much less likely to be hacked or otherwise compromised compared to an smartphone.

    I use the Google Authenticator app for some sites, but prefer the hardware token for others -- as both the token and the Google Authenticator app both implement the OATH standard (albeit it with different time intervals), this isn't usually a problem.

    I appreciate the desire for simplicity, but it's also nice to have some choices that would allow users to use other OATH-compliant software/devices rather than be limited to the behavior of a specific smartphone app.

    Rather than fork the plugin, I'd be happy to contribute some patches that implement the features I propose while also maintaining the simplicity of the user interface. You'd be under no obligation to implement the patches, of course, but I figured I could be of some use. :)

    Cheers!
    -Pete

  4. Henrik Schack
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Pete
    This plugin is not aiming at ├╝bergeeks, I created it in order for normal people to be able to secure their WordPress login with a technology they probably already know from Dropbox, Lastpass, Amazon Google, Guild Wars 2 etc.
    These hardware tokens are so "not normal" I haven't even seen them for sale anywhere here in Denmark

    I think it's vital to keep things as simple as possible.
    Supporting this plugin, without owning an iPhone is a pain, supporting it without owning one of all these hardware tokens would be pure hell :-)
    Therefore : I wont add support for hardware tokens.

    Btw. I don't know that many people ever leaving home without their phone.

    Best regards
    Henrik Schack

  5. heypete
    Member
    Posted 1 year ago #

    Hi Henrik,

    Fair enough.

    For reference, gooze.eu (located in France) sells the tokens and other such devices. I have no affiliation with them other than as a customer so don't think I'm trying to spam for them. I'm in Switzerland, and I agree that such tokens are not commonly available at retail (though Blizzard and PayPal both offer hardware tokens for more secure logins, so they're not unheard of).

    If you want some help in regards to iPhone compatibility, please feel free to contact me off-forum and I'd be happy to help as I have a iOS device here for testing. That said, the nice thing with the various Google Authenticator apps on different platforms (and on hardware tokens) is that they all implement the same standard, keeping life a bit easier. :)

    I may be one of the rare people who doesn't leave home with a smartphone: I have a rather "dumb" phone that makes calls and sends/receives SMS messages. It's nice because the battery lasts for weeks. I also have an iPod Touch (which runs the iOS Google Authenticator app, among other things) but I don't like carrying it around all the time when I'm not going to be listening to music (one less thing to carry). My hardware token is on my keyring, which is always with me.

    Anyway, if you ever decide to change your mind and want to support OATH-compatible hardware tokens I'd be happy to help in whatever way I can.

    Cheers!
    -Pete

  6. Henrik Schack
    Member
    Plugin Author

    Posted 1 year ago #

    Ok thanks a lot, if I ever change my mind, you'll be the first to know.

    Btw it's not possible to purchase the Paypal token in Denmark, I've been asking Paypal support for it for years without any luck :-(

    Best regards
    Henrik Schack

  7. David Maillard
    Member
    Posted 1 year ago #

    +1 on this.
    Fully agree that support for hardware devices would be good.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic