When are old OTPs deleted from db?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author julien731

    (@julien731)

    Indeed you’re right, it shouldn’t seat in the DB forever. There is currently no cleaning feature but I planned on adding it (see the issue on GitHub). I’ll probably integrate an automatic cleaning + a manual option.

    Thread Starter dthorpe

    (@dthorpe)

    Ok, thanks for the reply.

    Deleting OTPs from the DB that are older than, say, 5 minutes is very important to avoid server bloat on high traffic servers.

    Given that time-based OTPs such as Google Authenticator are only valid for 60 seconds (+ clock skew allowance by verifying server), I don’t really see a pressing need to store OTPs as a hedge against replay attacks.

    Would you consider an option to not store OTPs in a DB at all?

    Plugin Author julien731

    (@julien731)

    You’re absolutely right. I’ll work on this improvement ASAP. I didn’t plan to add an option to not store TOTPs in DB at all, but that wouldn’t be hard to do.

    Plugin Author julien731

    (@julien731)

    I finally found some time to update the plugin. Old TOTPs will now automatically be deleted from DB daily.

    Actually, you should deactivate and re-activate the plugin in order to make sure the cron task is enabled.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘When are old OTPs deleted from db?’ is closed to new replies.

Tags