Collaborate Disseminate
My site’s users currently do not have any MFA options, but we’re planning to release this feature in the near future. We’ve already built support for TOTP and have it working internally, but some on my team think that it won’t be very user… Continue reading If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]
I’m exploring the concepts of TOTP/HOTP in a simple JavaScript application with the help of this OTPAuth plugin.
The knowledge gap I’m hoping to fill is how do mobile MFA applications deduce the countdown timer duration from TOTP.generate(… Continue reading How to derive a TOTP countdown? [closed]
MFA, or multifactor authentication, is a standard security feature these days. However, it can be a drag to constantly reach into one’s pocket, scroll to Google Authenticator (other MFA applications …read more Continue reading An ESP32 MultiFactor TOTP Generator
I’m exploring the security implications of OTP (One-Time Password) authentication and wondering about the effectiveness of server-side protections against brute force attacks.
If an attacker attempts to send all possible OTP codes within a… Continue reading Can Sending All Possible Otp Codes Within 1 Second Bypass Server Protections? [duplicate]
We are using TOTP(https://datatracker.ietf.org/doc/html/rfc6238) for a web application to enhance the security. TOTP works on UTC. if system clock drifts OR NTP is not synced, TOTP generated by application (like MS Authenticator, or Google… Continue reading Can displaying date and time on screen upon TOTP login failure makes system more vulnerable?
Is PSD2’s Strong Customer Authentication requirement possible to satisfy with secure 2FA solutions, such as TOTP and WebAuthn?
For the purposes of this question, I’m classifying all systems where an OTP has to be transmitted as "insec… Continue reading Is 3DS compatible with secure 2FA technologies? (TOTP, WebAuthn)
A related discussion can be found, specifically addressing the security implications of using only TOTP for single-factor authentication However, in my view, using a TOTP code from a Google Authenticator on a mobile device effectively cons… Continue reading Is using TOTP from Authenticator app on a mobile device instead of passwords inherently 2FA?
In addition to my question: How many known time/result combinations does it take to guess a HOTP/TOTP secret?.
I’ve read often that TOTP is more secure than HOTP. One example:
TOTP provides higher security due to its time-based nature, re… Continue reading Is TOTP "more secure" and harder to crack than HOTP and why?
I recently registered with a bank that has an online banking platform. The platform website requires login with a proprietary OTP generator app. To activate this application, the bank sent me two numbers, both private:
Serial key: XXXXX-XX… Continue reading Getting Time-OTP Secret Key from Activation and Serial keys [closed]
I recently switched to or added the option to use time-based one time passwords, TOTP, as the second factor for some services I use. It got me wondering if it’s possible to retrieve the secret seed if I gather enough tokens and their time … Continue reading Retrieve TOTP seed from tokens and timestamps