Alphanumeric characters in TOTP passwords

[programarivm]

Description

👋 Hello there,

Is it possible to use alphanumeric chars in TOTP passwords? If so, could you please provide an example in the docs?

🙏 Thanks for the help, and keep up the great work!

[Spomky]

Hi,

The OCRA algorithm allow alphanumeric values.
But honestly, I'm not sure what the added value is. If you want similar entropy, you can change the period or the number of digits.
A string from 0 to 9 will always be easier to read and retype compared to an alphanumeric string. User experience is very important for security measures to be adopted.

[programarivm]

Thanks for the prompt response.

At ChesslaBlab we're implementing a passwordless sign-up use case.

• Passwordless sign-up chesslablab/website#436

We don't want to share any private data with users, so we're thinking along the lines of usernames automatically created by the system such as "preciseKoala" which will then be eventually assigned to users once they've scanned the QR code with their authenticator app. Thus, if using a ten characters long TOTP password containing alphanumeric codes, the probability of hijacking an account will be lower than if using only numbers.

Here's an example of "Sign in" form:

• Username: preciseKoala
• Password: f123o4obAR

I hope this sample "Sign in" form helps understand what we're trying to do.

Keep it up,

[Spomky]

At ChesslaBlab we're implementing a passwordless sign-up use case.

In this case, you should consider Webauthn that is passwordless and in some cases usernameless among all other nice features such as fishing resistance.

[programarivm]

It seems as if TOTP using a smartphone is just fine for an online chess app. The thing with WebAuthn is that it is currently requiring a hardware token like YubiKey which has an additional cost. Alternatively, WebAuthn using a smartphone is not too obvious to use if I'm not very much mistaken.

[Spomky]

It seems as if TOTP using a smartphone is just fine for an online chess app. The thing with WebAuthn is that it is currently requiring a hardware token like YubiKey which has an additional cost.

No you don't need hardware tokens.
Most of the OS now support Webauthn (Android 7+, Windows, iOS/macOS).

Alternatively, WebAuthn using a smartphone is not too obvious to use if I'm not very much mistaken.

From my POV, it's much more simpler compared to OTPs. You can stay on the same screen and not required to type anything.
Just try this demo: https://webauthn.spomky-labs.com/ (note that you are not required to set a username or displayname. Just click on the Register or Login buttons).

[programarivm]

I'm currently using Authy and FreeOTP to scan the QR codes generated by Spomky-Labs/otphp, however, those two authenticator apps can't scan the WebAuthn QR code at https://webauthn.spomky-labs.com/register

Which app should I use to scan the WebAuthn QR code?

Thank you,

[Spomky]

No app is needed. It is natively recognized with your smartphone camera app.

[programarivm]

Well, it seems as if my camera is somehow recognizing the QR code since it returns an output like this:

FIDO:/529...660

It just says FIDO with a bunch of numbers. What should I do now with this FIDO code?

See:

• Can't scan Fido code

[programarivm]

Google Authenticator did the trick.

[programarivm]

Maybe TOTP is just fine for some apps. Now preciseKoala can play chess with other users and see their results in the ranking. See #230