WordPress.org

Support

Support » Plugins and Hacks » [Resolved] When are old OTPs deleted from db?

[Resolved] When are old OTPs deleted from db?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Julien Liabeuf

    @julien731

    Indeed you’re right, it shouldn’t seat in the DB forever. There is currently no cleaning feature but I planned on adding it (see the issue on GitHub). I’ll probably integrate an automatic cleaning + a manual option.

    Ok, thanks for the reply.

    Deleting OTPs from the DB that are older than, say, 5 minutes is very important to avoid server bloat on high traffic servers.

    Given that time-based OTPs such as Google Authenticator are only valid for 60 seconds (+ clock skew allowance by verifying server), I don’t really see a pressing need to store OTPs as a hedge against replay attacks.

    Would you consider an option to not store OTPs in a DB at all?

    Plugin Author Julien Liabeuf

    @julien731

    You’re absolutely right. I’ll work on this improvement ASAP. I didn’t plan to add an option to not store TOTPs in DB at all, but that wouldn’t be hard to do.

    Plugin Author Julien Liabeuf

    @julien731

    I finally found some time to update the plugin. Old TOTPs will now automatically be deleted from DB daily.

    Actually, you should deactivate and re-activate the plugin in order to make sure the cron task is enabled.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Resolved] When are old OTPs deleted from db?’ is closed to new replies.