new tokentype: backup codes

[katgirl]

It would be nice if I could use the paper tokens as backup tokens. I would also like to make them alphanumeric with ten characters.

But it would also be enough for me if I could increase the length.

[plettich]

Hi @katgirl
The paper token is based on the HOTP algorithm (https://datatracker.ietf.org/doc/html/rfc4226) so we are limited to the lengths provided by the standard (6 and 8). It should be possible to add a policy to switch to a length of 8 for paper/tan token.
To support arbitrary length and characters we would need to implement a completely new token type.

[katgirl]

That would be great, because unfortunately it happens that you misplace your tokens ;-)
One idea could be found here:
https://github.com/contao/contao/blob/4b80d4721ca926848383c514d8ae89a147534759/core-bundle/src/Security/TwoFactor/BackupCodeManager.php#L82-L106

[cornelinux]

@katgirl for now you could use a number of registration code tokens as backup tokens/codes.
You could do this without any further privacyidea code modification.

I also confirm with @plettich that if we were to implement such funcionality, we would need to think about which tokenclass to inherit. And for this we would first need to gather further requirements.
Then I would close this issue or rename it from "paper token length" to "new tokentype: backup codes".

[cornelinux]

Note: The TANtoken stores arbitrary TANs in the tokeninfo.

A backup token could also be a container with a number of registration codes.