How many TOTP/HOTP secrets can a NitroKey store?

Hi! I’m a current YubiKey user; and for a few years, I’ve had to carry two YubiKeys due to the limit upon how many credentials a single YubiKey can store (32 apiece.)

It’s been a huge hassle to unplug one key and plug in another every time I log into another device/service, or unplug my secondary “more-TOTP creds” key and plug in my original one every time I want to use U2F or sign a Git commit.

Does a NitroKey store ≥32 creds? If so, what is the upper limit; and if not, are you open to increasing the limit beyond that on the next device (which Yubikey was, unfortunately, decidedly not.)

(Rationale / side-note: holy crap, seriously though, it’s 2020. It can’t be that uncommon to have more than 32 services that use one-time passwords nowadays, can it? I’m not that much of a power-user!)

1 Like

Hi @ELLIOTTCABLE!

Currently Nitrokey Pro and Nitrokey Storage both support 15 TOTP slots, and 3 (4) HOTP slots.

We are at the process of updating the design for the modern needs though. I understand you need a device with 64 slots for TOTP. We will consider this, however the OTP pass-codes might be a thing of the past already due to FIDO U2F / FIDO2 introduction, which is much safer and easier to use (thus making time spent on this feature lost). Have you considered switching to it? (whenever possible).

cc: @jan @nitroalex

Yeah; I’m using U2F everywhere possible; and rabidly looking forward to WebAuthn making it all a thing of the past.

Sadly, we all know how a lot of organizations view security — “but, but we already solved security in our project like, five years ago. You want us to do it all over again!?”. A lot of the OTP-style products I use are, uh, not exactly hugely technically competent (in a lot of these cases, it’s a frickin’ miracle they use 2FA of any form); and I just … can’t see them switching to WebAuthn or anything newer for many, many years.

Add to that the fact that more companies are going to be joining the above-described club for a couple more years from now, as WebAuthn really settles in, all the tutorials for developers get updated, and the New Way percolates through the web … and I fully expect to have dozens of TOTP creds for many, many years to come. /=

1 Like

Added ticket for tracking: