From f001a5e9e7d59bf4ff1c3a8c2c748f204c03eee1 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Wed, 25 Nov 2020 11:08:28 +0100 Subject: [PATCH] Explain the choice of the backup code parameters --- .../multifactor/BackupMultifactorMethod.class.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php index dbd7d44bc2..2110781ac0 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php @@ -30,6 +30,19 @@ class BackupMultifactorMethod implements IMultifactorMethod { */ private $algorithm; + // 4 chunks of 5 digits each result in code space of 10^20 which + // is equivalent to 66.4 bits of security. The unhashed 3 chunks + // of 5 digits result in 10^15 which is equivalent to 49.8 bits + // of security. + // This is sufficient for a rate-limited online attack, but a bit + // short for an offline attack using a stolen database. In the + // latter case the TOTP secret which needs to be stored in a form + // that allows generating valid codes poses a far bigger threat + // to a single user's security. + // Thus we use a 20 digit code. It gives users a warm and fuzzy + // feeling that the codes cannot be easily guessed (due to being + // longish), while not being unwieldy like a hexadecimal, base32 + // or base64 string. public const CHUNKS = 4; public const CHUNK_LENGTH = 5; -- 2.20.1