5.1 Security Considerations for Implementers
In general, DTAG provides protection at the strength of the one-time password (OTP), where the OTP is required to be:
Cryptographically random and difficult to guess.
Transported to the endpoints in an out-of-band manner, such as through user interaction, the details of which are not described in this specification. For this purpose, the OTP can be relatively short enough for the user to remember.
Generated anew each time DTAG is started or restarted.
The number of OTP characters is required to be equal to or greater than the number of iterations.
The number of validate rounds (N) is required to be at least 2, with a minimum of 4 recommended.