TiQR tokens fail counter

duc12597 · March 13, 2019, 4:01am

I notice that the TiQR tokens’ fail counter do not increase when I successfully triggered a challenge and entered an incorrect OTP. Looking at the source code of tiqrtoken.py, the method inc_failcount() is never called for an INVALID_RESPONSE:

# Challenge is still valid (time has not passed) and no correct response was given.
serial = challenges[0].serial
tokens = get_tokens(serial=serial)
if len(tokens) == 1:
  # We found exactly the one token
  res = "INVALID_RESPONSE"
  r = tokens[0].verify_response(challenge=challenges[0].challenge, passw=passw)
  if r > 0:
    res = "OK"
    # Mark the challenge as answered successfully.
    challenges[0].set_otp_status(True)

Why is this the desirable behavior? I expected an incorrect OTP would be regarded as a fail authentication and would increment the fail counter.

cornelinux · March 14, 2019, 6:00am

The TiQR code is very old.

I do not know anyone, who uses it.

The OTP value is sent by the correct smartphone via http. So usually either the correct OTP is sent or None.

How would you enter the incorrect OTP?

duc12597 · March 14, 2019, 6:29am

I create a TiQR token, enroll its secret key via API calls instead of the smartphone app, trigger a challenge and authenticate against /ttype/tiqr using a random OTP value.