WordPress.org

Ready to get started?Download WordPress

Forums

Google Authenticator for WordPress
[resolved] When are old OTPs deleted from db? (5 posts)

  1. dthorpe
    Member
    Posted 6 months ago #

    Your feature list mentions that used one-time-passwords are stored in a db to prevent replay attacks. When are these old passwords removed from the db? I don't want them chewing up infinite disk space over time.

    https://wordpress.org/plugins/wp-google-authenticator/

  2. Julien
    Member
    Plugin Author

    Posted 6 months ago #

    Indeed you're right, it shouldn't seat in the DB forever. There is currently no cleaning feature but I planned on adding it (see the issue on GitHub). I'll probably integrate an automatic cleaning + a manual option.

  3. dthorpe
    Member
    Posted 6 months ago #

    Ok, thanks for the reply.

    Deleting OTPs from the DB that are older than, say, 5 minutes is very important to avoid server bloat on high traffic servers.

    Given that time-based OTPs such as Google Authenticator are only valid for 60 seconds (+ clock skew allowance by verifying server), I don't really see a pressing need to store OTPs as a hedge against replay attacks.

    Would you consider an option to not store OTPs in a DB at all?

  4. Julien
    Member
    Plugin Author

    Posted 6 months ago #

    You're absolutely right. I'll work on this improvement ASAP. I didn't plan to add an option to not store TOTPs in DB at all, but that wouldn't be hard to do.

  5. Julien
    Member
    Plugin Author

    Posted 4 months ago #

    I finally found some time to update the plugin. Old TOTPs will now automatically be deleted from DB daily.

    Actually, you should deactivate and re-activate the plugin in order to make sure the cron task is enabled.

Reply

You must log in to post.

About this Plugin

About this Topic