Collaborate Disseminate
I would like to require users to add a TOTP device immediately after signup to my app. Generally the steps would be:
Create user with password and send a verification email with a token
User clicks the verify link with the token
Server ve… Continue reading What is the proper flow to add an MFA device to a new user?
Usually when a server data breach occurs, information that gets leaked includes usernames and password hashes, rarely do you see a data breach where 2FA TOTP seeds gets leaked alongside them. How come this is the case? I thought the server… Continue reading Why are TOTP seeds rarely leaked in data breaches?
I’m hosting a website on a free hosting provider server that uses PHP for OTP-based authentication. Here’s how it works:
If an unregistered IP address visits the site, it shows an "Unauthorized" message.
For registered IPs, the… Continue reading Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?
Why authenticator Apps produce code every few seconds rather than having a button to generate an one time code that would be active for the same duration as in TOTP? Am I missing something here? Doesn’t generating a code every few seconds … Continue reading Why authenticator Apps produce code every few seconds?
I am trying to figure out the implications of authentication technologies. Answers to a previous question indicate my real question is more "meta than that.
The primary requirements for an authentication system from my point of view… Continue reading Is there a private, secure and easy login system?
The commonly used Time based One Time Password (TOTP) system requires the initial sharing of a key. This presents a security risk, as acknowledged by Wikipedia referencing the RSA compromise:
An attacker with access to this shared secre… Continue reading Is there an asymmetric TOTP algorithm that avoids sharing a private key over public channels?
I’m adding 2FA to my app and have set it up for users who have registered with email. I also have users who log in with Facebook and others who use their mobile number.
Should I also add TOTP for users who log in with Facebook, or is that … Continue reading Do I need to add TOTP 2FA for Facebook and mobile number logins in my app?
Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where …read more Continue reading Ticketmaster SafeTix Reverse-Engineered
I’m trying to create a simple web-app (for personal use, but also trying to learn some things along the way). If the stack is important, I’m using:
SvelteKit for Frontend
Netlify Functions for the API
Supabase for the DB (not auth, just D… Continue reading Considerations when setting up passkey + TOTP login
I am working on a application which requires session token to commence trading activities. This will be hosted on a cloud based Linux VM (Ubuntu) and a managed MySQL database.
Session token are generated using a TOTP. I have build this app… Continue reading Storing TOTP keys