Collaborate Disseminate
For a new website, with JavaScript we check if there is a private ECDSA key found in the IndexedDB. If not, the device generate ECDSA P-256 keys pair, save his private key (not extractable, WebCrypto API) and send his public … Continue reading Could a device’s identification be used as 1st factor of identification in 2FA mechanism?
So I use a password manager with to generate a (strong) unique password for each and every site I have a username / password for.
For the ones that allow it I also enable TOTP (Time-based One-Time Password) 2TF.
This got me… Continue reading Strong unique passwords and TOTP 2FA
Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.
Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password …read more
I often see two-factor authentication (2FA) methods using one-time passwords (OTP) implementations wherein the current (previous) and sometimes even 2 or 3 previous tokens are still valid. This is probably done for several re… Continue reading Is accepting the current and the previous one-time password a bad practice?
I thought about “recovering”, “determining”, “guessing”, “calculating” or “reproducing” the HOTP/TOTP secrets when only the outcome (6-digit code + time) is known.
In case we can view the live creation of HOTP/TOTP codes without knowing t… Continue reading How many known time/result combinations does it take to guess a HOTP/TOTP secret?
I have a situation where I need time based OTP.
But most of the examples and cases I have seen, uses same key to create and check otp.
But I need something different. I want to create OTP using a public key, so that it can … Continue reading Is there a way to create time based OTP with public/private key
I’ve noticed that when I restore my old iPhone’s backup to a new iPhone, 1Password’s master-key (which is never supposed to leave the device 1Password is installed on, and you transfer manually), my TOTP credentials (in Google Authenticator or a similar app), the Steam authenticator-key, etc … still seem to exist on the new, restored, device.
This implies that they’re also sitting around in my backups — and possibly in iCloud?
How can I back up my device without compromising the uniqueness of my second factor of authentication?
Continue reading How can I back up my iPhone without compromising my 2FA and master keys?
For a frontend, i would like to implement MFA (with TOTP).
I may be searching for the wrong keywords but i couldn’t find the proper way to implement securely this solution. I was searching for a diagram flow for example such… Continue reading Implementation flow of MFA with TOTP
With data breaches resulting in leaked passwords occurring almost daily, two-factor authentication has become an essential tool in the security toolkit.Categories: 101
FYITags: 2faauthenticationmfaMulti-Factor AuthorizationpasswordsPieter Arntzssotoke… Continue reading Understanding the basics of Two-Factor Authentication
Assume a 2FA system with user-supplied passwords and 6 digit TOTP tokens. It is not possible to test a TOTP token without authenticating with a password first, so whoever submits a token is presumed to know the password. Ea… Continue reading Best practices for handling wrong TOTP tokens
