By: Stuart Bland user 29 Jan 2019 at 5:06 a.m. CST

4 Responses
Stuart Bland gravatar
We're setting up Gluu as an identity platform at short notice for a cloud ERP system which doesn't natively support MFA. We have a working example of TOTP using authenticator apps, but have a reasonable number of users who we expect won't have smartphones, and would therefore like to have email HOTP for these users. I have been told that we can customise the Twilio SMS OTP script for this, but don't have much experience of Python so was hoping someone might have a working example they could share?

By William Lowe staff 29 Jan 2019 at 5:13 a.m. CST

William Lowe gravatar
> but have a reasonable number of users who we expect won't have smartphones > Can you use OTP via SMS instead? It's arguably more secure and a better user experience than OTP via email, plus users don't need a smartphone to participate. If you must have OTP via email, we can make an introduction to a partner who could help with writing the script for this requirement. Thanks, Will

By Stuart Bland user 29 Jan 2019 at 5:22 a.m. CST

Stuart Bland gravatar
Hi Will, The business is nervous of SMS OTP - providers in the UK are quite expensive and there is a fear that a brute-force attack could generate a huge number of messages and hence a large SMS bill. We would therefore prefer email if we can get it working... Cheers, Stuart

By Michael Schwartz staff 29 Jan 2019 at 7:34 a.m. CST

Michael Schwartz gravatar
Control of email is a very weak form of authentication. The amount of risk this strategy mitigates probably does not justify the transaction costs to the end user. Control of email is an even weaker credential then password. Browsers get compromised, and then hackers launch an instance of the browser with all the cookies in place. And given that email providers like Google almost never authenticate you, you can see the problem. If you're concerned about brute force attack, perhaps you should put CAPTCHA on your login page. This would prevent this.

By William Lowe staff 06 Feb 2019 at 8:26 a.m. CST

William Lowe gravatar
Closing this out, Stuart. As Mike mentioned, OTP over email arguably doesn't add enough extra security to justify the hit to user experience. That said, if you do end up going down this path and would like to contribute the script back to the project, just let me know. Thanks, Will