auth_totp_length
Specifies the length of the TOTP (Time-based One-Time Password) used for authentication.
Description
The auth_totp_length directive in NGINX's TOTP authentication module sets the number of digits in the one-time passwords (OTPs) generated for authentication purposes. This directive allows administrators to customize the length of the OTPs based on their security requirements, enhancing the flexibility of TOTP implementations. Setting this value determines how robust the OTPs are; for instance, a longer OTP (e.g., 8 digits) provides a larger keyspace than a shorter one (e.g., 6 digits) and can be more secure against brute-force attacks.
The directive can be configured in various contexts, including http, server, location, and limit_except, which allows it to be tailored to specific application needs. For example, a specific location may require a different OTP length than the rest of the application for enhanced security measures on sensitive paths. After configuring this directive, NGINX generates TOTP values according to the defined digit length, which clients must provide during the authentication process for validation.
Config Example
location /protected {
auth_totp_realm "Protected";
auth_totp_length 8;
auth_totp_file /etc/nginx/totp.conf;
}Ensure the OTP length is compatible with the clients generating the TOTP codes; mismatched lengths can lead to authentication failures.
Consider the user experience when increasing the length of the OTP as longer passwords can be cumbersome to enter.
Test the lengths specified in production to ensure both usability and security goals are met.