From 26d4a3e64660e46c4c95009a7c04ae8b45e56d93 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 26 Aug 2014 10:44:54 +0100
Subject: [PATCH] add detail on OTP implementation

---
 README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 84b101f..6172775 100644
--- a/README.md
+++ b/README.md
@@ -110,6 +110,17 @@ method. The comment is a free-form string set by the user to tell the
 various credentials apart.
 
 
+## OTP implementation
+
+The authentication server uses a very simple implementation of
+time-based OTP (TOTP), supporting a single secret per user and without
+any fancy features such as emergency tokens etc. The reason for this
+is that TOTP authentication requires just plain read-only access to
+the user database, while counter-based authentication with proper
+token revocation is a read-write, locked operation which is more
+difficult to perform on a LDAP backend.
+
+
 # Usage
 
 ## Client authentication
-- 
GitLab