Collaborate Disseminate
An application is logging wrong OTPs (but not correct OTPs). I asked the application developers to not log wrong OTPs because I do not see any benefits. However, they do not want to modify the application code, and are asking me (I have no… Continue reading What security risks do you see with wrong OTPs appearing in application logs?
I am designing a system that allows users to purchase my NFC cards and sign up for an account on my online SaaS website.
The System
For the sake of explanation, assume the website is hosted at domain test.com.
Think of this system as a &qu… Continue reading How to avoid non-in-person "handshakes" and spoofing due to compromised URL data on NFC card
I’m exploring the concepts of TOTP/HOTP in a simple JavaScript application with the help of this OTPAuth plugin.
The knowledge gap I’m hoping to fill is how do mobile MFA applications deduce the countdown timer duration from TOTP.generate(… Continue reading How to derive a TOTP countdown? [closed]
Some service like Bitwarden use the password to encrypt part of your personal data, so that nobody except you can access it, and they archive this because the server only gets your password’s hash from your login prompt the server never kn… Continue reading Alternatives for password where at least one secret is not know by the server, with similar transparency
When logging in to azure the login process emails me a short one time code to use and doesn’t require a password. I am assuming it is a well trusted process in order to be used on such critical infrastructure, but I am not familiar with th… Continue reading One time password as passwordless authentication [duplicate]
Nowadays, 2FA apps usually require you to insert a number which you are presented with when trying to authenticate. For example, the following screenshot is from Microsoft Authenticator:
This is called number matching, and is in contrast … Continue reading What is the point of entering numbers in the two-factor authentication app?
I’m exploring the security implications of OTP (One-Time Password) authentication and wondering about the effectiveness of server-side protections against brute force attacks.
If an attacker attempts to send all possible OTP codes within a… Continue reading Can Sending All Possible Otp Codes Within 1 Second Bypass Server Protections? [duplicate]
We are using TOTP(https://datatracker.ietf.org/doc/html/rfc6238) for a web application to enhance the security. TOTP works on UTC. if system clock drifts OR NTP is not synced, TOTP generated by application (like MS Authenticator, or Google… Continue reading Can displaying date and time on screen upon TOTP login failure makes system more vulnerable?
Apple provided the capability of using TOTP within iOS itself and I noticed there was a section for Use a verification code on a website or in an app which bypasses the QR Code.
My question is whether that the setup key in the setup verifi… Continue reading Are Apple TOTP verification codes the HOTP secret?
A couple of my friends have been in a kind of pickle recently. There have been attempts to hack their Telegram accounts and hackers somehow learned their one time pass codes but the login attempts were thwarted because my friends had long … Continue reading Is it possible that Telegram’s OTP has been hacked?