
Salted Passwordless Authentication - msurdi
https://msurdi.github.io/posts/4-salted-passwordless-authentication/
======
franky47
Interesting approach, would the code sent to the user be a TOTP ?

Because a 5 digit code holds much less entropy than traditional passwordless
tokens, it would be easier to brute force if the validation endpoint is not
properly implemented (rate-limiting and deleting the challenge after N failed
responses).

~~~
msurdi
Yes, I think that's what basically the code is, some kind of a one time
password. The fact it is just 5 digits is not something I've paid a lot of
attention to be honest, as this is something really easy to change. Probably
you could even use letters, symbols, etc... the trade-off is annoying a bit
more the end user.

It also expires (see
[https://github.com/msurdi/wipku/blob/master/server/core/user...](https://github.com/msurdi/wipku/blob/master/server/core/users.js#L48))
, and the api should probably protected with rate limits, that should mitigate
the brute force attacks I think.

