Collaborate Disseminate
Recently, I discovered that MFA apps just calculate that codes based on a private key and the time clock, so it’s easy to use tools like gnu pass to replace those apps with your computer.
But what are the securities drawbacks when we do th… Continue reading Is using the computer for MFA safe?
Can the Mobile phone One Time Password authentication be alphanumeric with special characters?
If Yes, There will be more pros and less cons with increased security?
One Time password
Can a One Time Password decimal number increase securit… Continue reading One Time Password Mobile phone authentication
I have a form where the user can add his phone number then, he receives a verification code on his phone number to log in/register.
Now a user could make too many requests with generated valid numbers to cost me more money (the cost of sen… Continue reading How to limit user from making too many request on an API endpoint? [duplicate]
I’m building an high velocity auth system, used both for user to machine and machine to machine authentication and authorization. To prevent a replay attack I’m adding a nonce to each request, but in order to avoid a roundtrip the nonce is… Continue reading Adding salt to TOTP
I want TOTP (in layman’s terms: Google Authenticator codes; I use KeePassXC to access the keys) to be my primary way to verify my logins into my Google account. The problem is that I can only remove the Google prompt sent to my devices if … Continue reading How to ONLY allow TOTP codes for Google two-factor authentication without signing account out of mobile devices [closed]
I just called a number that I thought was my bank’s and reached a customer service representative that asked me to verbally read to them a one-time passcode that was texted to my phone.
Is this standard practice?
I can’t imagine anybody bu… Continue reading Is reading off a OTP code over the phone standard practice?
I just wanted to understand the best practice which should be followed for OTP. Should OTP failed attempts be reset again if there is a new otp generated by end user by clicking on a resend button. If we reset the count again for each new … Continue reading Should OTP failed attempts be reset if user clicks on a resend?
I was wondering if there is a formula to calculate how long it would take to "guess" a "X-Digit" OTP, presuming you limited the number of times you can try for each code and the number of codes you can get over a period… Continue reading What is the formula to estimate how long it can take to guess an OTP? [migrated]
I have come across scenarios where a website would send OTP once a user has supplied valid username/password. A confirmation dialog e.g. An OTP has been sent to your registered mobile number would be displayed to the user. When a user has … Continue reading Does this implementation of 2FA expose valid credentials?
There has been many discussions about this topic on this website. But mostly outdated. I wanted to draw your attention back to this. Although nothing has changed, but I can’t come up with any reasons to not use TOTP as a replacement for pa… Continue reading Use TOTP as a single factor authentication [closed]