I notice that the TiQR tokens’ fail counter do not increase when I successfully triggered a challenge and entered an incorrect OTP. Looking at the source code of tiqrtoken.py
, the method inc_failcount()
is never called for an INVALID_RESPONSE:
# Challenge is still valid (time has not passed) and no correct response was given.
serial = challenges[0].serial
tokens = get_tokens(serial=serial)
if len(tokens) == 1:
# We found exactly the one token
res = "INVALID_RESPONSE"
r = tokens[0].verify_response(challenge=challenges[0].challenge, passw=passw)
if r > 0:
res = "OK"
# Mark the challenge as answered successfully.
challenges[0].set_otp_status(True)
Why is this the desirable behavior? I expected an incorrect OTP would be regarded as a fail authentication and would increment the fail counter.