Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?

I’m hosting a website on a free hosting provider server that uses PHP for OTP-based authentication. Here’s how it works:

If an unregistered IP address visits the site, it shows an "Unauthorized" message.

For registered IPs, the… Continue reading Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?

Is there an asymmetric TOTP algorithm that avoids sharing a private key over public channels?

The commonly used Time based One Time Password (TOTP) system requires the initial sharing of a key. This presents a security risk, as acknowledged by Wikipedia referencing the RSA compromise:

An attacker with access to this shared secre… Continue reading Is there an asymmetric TOTP algorithm that avoids sharing a private key over public channels?

Ticketmaster SafeTix Reverse-Engineered

Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where …read more Continue reading Ticketmaster SafeTix Reverse-Engineered

If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]

My site’s users currently do not have any MFA options, but we’re planning to release this feature in the near future. We’ve already built support for TOTP and have it working internally, but some on my team think that it won’t be very user… Continue reading If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]