Interesting approach, would the code sent to the user be a TOTP ?
Because a 5 digit code holds much less entropy than traditional passwordless tokens, it would be easier to brute force if the validation endpoint is not properly implemented (rate-limiting and deleting the challenge after N failed responses).
Yes, I think that's what basically the code is, some kind of a one time password. The fact it is just 5 digits is not something I've paid a lot of attention to be honest, as this is something really easy to change. Probably you could even use letters, symbols, etc... the trade-off is annoying a bit more the end user.
2 comments
[ 3.9 ms ] story [ 25.4 ms ] threadBecause a 5 digit code holds much less entropy than traditional passwordless tokens, it would be easier to brute force if the validation endpoint is not properly implemented (rate-limiting and deleting the challenge after N failed responses).
It also expires (see https://github.com/msurdi/wipku/blob/master/server/core/user...) , and the api should probably protected with rate limits, that should mitigate the brute force attacks I think.