I notice that the TiQR tokens’ fail counter do not increase when I successfully triggered a challenge and entered an incorrect OTP. Looking at the source code of
tiqrtoken.py, the method
inc_failcount() is never called for an INVALID_RESPONSE:
# Challenge is still valid (time has not passed) and no correct response was given. serial = challenges.serial tokens = get_tokens(serial=serial) if len(tokens) == 1: # We found exactly the one token res = "INVALID_RESPONSE" r = tokens.verify_response(challenge=challenges.challenge, passw=passw) if r > 0: res = "OK" # Mark the challenge as answered successfully. challenges.set_otp_status(True)
Why is this the desirable behavior? I expected an incorrect OTP would be regarded as a fail authentication and would increment the fail counter.