DEV Community

Discussion on: OTP verification without any Database

infamousmrs profile image

Hi @Anam - interesting idea.

Because you provide the signature hash, and all components used to generate that hash except for the OTP digits, and because you don't store anything ever, how do you stop brute force where an attacker gets the first response and then tries 999999 times to guess the OTP (the only part the client doesn't know) via brute force?

To detect multiple attempts you would need to store something, and if you were subject of such attack it will also kill all your performance gains from not using data storage. Or you'll need to block spamming attempts in an outer http layer like load balancer, proxy etc.

mkotzjan profile image
Michael Kotzjan

Hello @infamousmrs ,

@Anam explained his method using a hash algorithm but implemented it using a MAC, more specifically the HMAC algorithm. A hash would open his method for the attack suggested by you, but a MAC algorithm uses a cryptographic key to ensure that only the owner of the key is able to create a MAC. An attacker could therefore only try to brute force the complete MAC (at least 32 Bytes using HMAC).

The term Hash should be replaced by MAC in this article to avoid confusion