Open bohdansec opened 3 months ago
Strongly support @bohdansec 's proposal in comments to move from 4 chars to 6 on the OTP token.
Also @bohdansec , if you'd like to collab on doing a security review of this code hit us up codeaudit [at] IncludeSecurity.com, it'd be nice to work together on this project!
I'd like to propose a minor improvement aimed at enhancing the cryptographic strength and expanding the capabilities of OTP generation. Specifically, this would enable the creation of OTPs that can start with zero and allow for dynamically defining the length of the OTP.
Additionally, if the functionality is sufficiently generic and does not include business logic specific to a single service, consider the possibility of extracting such code into a common library that can be utilized by both services. This will ensure code reusability and prevent duplication. For microservices, this often pertains to utility functions, such as OTP generation.
I also recommend increasing the minimum length of the length parameter for OTPs from 4 to 6-8 characters. You might also consider storing the value of the length parameter in the configuration.