Collaborate Disseminate
Is it safe not to have a 2FA for a password manager itself?
It seems that using an app for TOTP authentication for a password manager could increase the security. But it turns out that in this case I should remember by heart the password f… Continue reading Security of password managers vs. risk of losing access
We all know the drill when it comes to online security — something you know, and something you have. But when the “something you have” is a two-factor token in …read more Continue reading Hackaday Prize 2023: Sleek Macro Pad Makes 2FA a Little Easier
Everyone in security will tell you need two-factor authentication (2FA), and we agree. End of article? Nope. The devil, as always with security, is in the details. Case in point: …read more Continue reading Two Factor Authentication Apps: Mistakes to Malware
I’ve just implemented QR-based TOTP on a web site. Immediately I have people (quite reasonably, given the application) asking for a checkbox so the site doesn’t require TOTP for that computer and browser for some amount of time. (Probably … Continue reading Code logic for "don’t require OTP for this device"?
I’d like to 2FA with Google Authenticator to my account, but when I want to add 2FA, Google only offers U2F security tokens but no TOTP option. Following the instructions on the official help page, I get only the options:
SMS
Security Key… Continue reading How to add Google Authenticator (TOTP) to a Google account? [closed]
Even in Apple’s and Google’s “walled gardens”, there are plenty of 2FA apps that are either dangerously incompetent, or unrepentantly malicious. (Or perhaps both.) Continue reading Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!
I just wanted to understand the best practice which should be followed for OTP. Should OTP failed attempts be reset again if there is a new otp generated by end user by clicking on a resend button. If we reset the count again for each new … Continue reading Should OTP failed attempts be reset if user clicks on a resend?
According to this disused repository Google Authenticator implements OATH TOTP (RFC 6238) and OATH HOTP (RFC 4226). Those RFCs each seem to describe a secret that the user’s device on which Authenticator runs must know. In principle the … Continue reading Where does Google Authenticator store its secrets on iOS?
I work on a service that handles user authentication & authorization. I recently added 2FA support (email, sms, TOTP) and while it works great, I was wondering about the security of the one-time codes during transit (client->server … Continue reading Security of 2FA codes in-transit
There has been many discussions about this topic on this website. But mostly outdated. I wanted to draw your attention back to this. Although nothing has changed, but I can’t come up with any reasons to not use TOTP as a replacement for pa… Continue reading Use TOTP as a single factor authentication [closed]