Collaborate Disseminate
I’m exploring the concepts of TOTP/HOTP in a simple JavaScript application with the help of this OTPAuth plugin.
The knowledge gap I’m hoping to fill is how do mobile MFA applications deduce the countdown timer duration from TOTP.generate(… Continue reading How to derive a TOTP countdown? [closed]
Some service like Bitwarden use the password to encrypt part of your personal data, so that nobody except you can access it, and they archive this because the server only gets your password’s hash from your login prompt the server never kn… Continue reading Alternatives for password where at least one secret is not know by the server, with similar transparency
When logging in to azure the login process emails me a short one time code to use and doesn’t require a password. I am assuming it is a well trusted process in order to be used on such critical infrastructure, but I am not familiar with th… Continue reading One time password as passwordless authentication [duplicate]
Nowadays, 2FA apps usually require you to insert a number which you are presented with when trying to authenticate. For example, the following screenshot is from Microsoft Authenticator:
This is called number matching, and is in contrast … Continue reading What is the point of entering numbers in the two-factor authentication app?
I’m exploring the security implications of OTP (One-Time Password) authentication and wondering about the effectiveness of server-side protections against brute force attacks.
If an attacker attempts to send all possible OTP codes within a… Continue reading Can Sending All Possible Otp Codes Within 1 Second Bypass Server Protections? [duplicate]
We are using TOTP(https://datatracker.ietf.org/doc/html/rfc6238) for a web application to enhance the security. TOTP works on UTC. if system clock drifts OR NTP is not synced, TOTP generated by application (like MS Authenticator, or Google… Continue reading Can displaying date and time on screen upon TOTP login failure makes system more vulnerable?
Apple provided the capability of using TOTP within iOS itself and I noticed there was a section for Use a verification code on a website or in an app which bypasses the QR Code.
My question is whether that the setup key in the setup verifi… Continue reading Are Apple TOTP verification codes the HOTP secret?
A couple of my friends have been in a kind of pickle recently. There have been attempts to hack their Telegram accounts and hackers somehow learned their one time pass codes but the login attempts were thwarted because my friends had long … Continue reading Is it possible that Telegram’s OTP has been hacked?
I recently registered with a bank that has an online banking platform. The platform website requires login with a proprietary OTP generator app. To activate this application, the bank sent me two numbers, both private:
Serial key: XXXXX-XX… Continue reading Getting Time-OTP Secret Key from Activation and Serial keys [closed]
I am building a token-based authentication API, and I have three main methods:
Register Method: It takes credentials (email, password, phone number) and creates the user, then sends an OTP message to the phone number provided in the creden… Continue reading Should i verify otp after login or before?