AuthSelect
is an SQL query that fetches
HOTP token data from the SQL database. AuthSelect
is
expected to return a number of fields that describe the token.
The
following fields are mandatory:
- Field 0 is the HEX encoded secret key for the token
- Field 1 is the counter high part
- Field 2 is the counter low part
The following fields are optional:
- If field 3 (active) is defined, it must be 1 or other true value,
else the authentication is rejected. Empty and 0 are false.
- Field 4 (pin) is the user's static PIN. It will be checked if the
user specifies a static password or if
Require2Factor
is not set to disabled.
- Field 5 (digits) is the number of digits in the user's HOTP code.
If NULL, the value of
DefaultDigits
is be
used.
- Field 6 (bad_logins) counts the number of consecutive
authentication failures. If defined it will be used to detect brute
force attacks and must be updated by UpdateQuery.
- Field 7 (last_time_accessed) is the unix timestamp of the last
authentication attempt. It is used to detect brute force attacks.
Current username is available as %0
which is
SQL quoted when used in AuthSelect
and unmodified
when used with AuthSelectParam
.
The default
works with the sample database schema provided in
goodies/hotp.sql
. The default is:
select secret, counter_high, counter_low, active, pin, digits,
bad_logins, unix_timestamp(accessed) from hotpkeys where username=%0