Good practice for generating opaque access-token

Asked Feb 09 '22 at 12:16

Active Feb 09 '22 at 12:16

Viewed 120 times

Restrictions:

Access token will be short lived (2 minutes)
Access token will be one-time use only.

Given a strong random algorithm, would it be considered good practice to generate an opaque access-token by generating 256/512 random bits that is afterwards base64 encoded for transmission?

The bit-size and randomness of the algorithm will of course correlate directly to the entropy and thereby amount of combinations to brute-force within a 2 minute time period.

My own opinion is that the entropy-level is directly defining whether this is a safe approach or not, but I'm wondering if there is a different approach to opaque token generation that I am not considering.

asked Feb 09 '22 at 12:16

MatthewAws

TOTP might be helpful here - https://en.wikipedia.org/wiki/Time-based_one-time_password – maerics Feb 09 '22 at 15:15
@maerics sorry,but I don't see how TOTP will be more secure than an actual randomly generated string. I would even argue it's the contrary, as it uses a deterministic input (the current time). – MatthewAws Feb 10 '22 at 07:58

Good practice for generating opaque access-token

0 Answers0