Collaborate Disseminate
I’m hosting a website on a free hosting provider server that uses PHP for OTP-based authentication. Here’s how it works:
If an unregistered IP address visits the site, it shows an "Unauthorized" message.
For registered IPs, the… Continue reading Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?
Why authenticator Apps produce code every few seconds rather than having a button to generate an one time code that would be active for the same duration as in TOTP? Am I missing something here? Doesn’t generating a code every few seconds … Continue reading Why authenticator Apps produce code every few seconds?
I am trying to figure out the implications of authentication technologies. Answers to a previous question indicate my real question is more "meta than that.
The primary requirements for an authentication system from my point of view… Continue reading Is there a private, secure and easy login system?
The commonly used Time based One Time Password (TOTP) system requires the initial sharing of a key. This presents a security risk, as acknowledged by Wikipedia referencing the RSA compromise:
An attacker with access to this shared secre… Continue reading Is there an asymmetric TOTP algorithm that avoids sharing a private key over public channels?
I’m adding 2FA to my app and have set it up for users who have registered with email. I also have users who log in with Facebook and others who use their mobile number.
Should I also add TOTP for users who log in with Facebook, or is that … Continue reading Do I need to add TOTP 2FA for Facebook and mobile number logins in my app?
Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where …read more Continue reading Ticketmaster SafeTix Reverse-Engineered
I’m trying to create a simple web-app (for personal use, but also trying to learn some things along the way). If the stack is important, I’m using:
SvelteKit for Frontend
Netlify Functions for the API
Supabase for the DB (not auth, just D… Continue reading Considerations when setting up passkey + TOTP login
I am working on a application which requires session token to commence trading activities. This will be hosted on a cloud based Linux VM (Ubuntu) and a managed MySQL database.
Session token are generated using a TOTP. I have build this app… Continue reading Storing TOTP keys
I’m prototyping an application that generates MFA codes. For developer simplicity I’m storing source data in clear text in Google Authenticator URI format (ex: otpauth://totp/totp@authenticationtest.com?secret=I65VU7K5ZQL7WB4E).
What is co… Continue reading How important is HOTP/TOTP secret key security?
My site’s users currently do not have any MFA options, but we’re planning to release this feature in the near future. We’ve already built support for TOTP and have it working internally, but some on my team think that it won’t be very user… Continue reading If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]