Collaborate Disseminate
Given the increasing widespread adoption of Time-based one-time password (TOTP) in view of SMS OTP hacks, Is Time-based one-time password (TOTP) sufficiently secure as another factor of authentication, on top of username/password?
I refer … Continue reading Is Time-based one-time password (TOTP) sufficiently secure as another factor of authentication?
I was wondering about the design of totp and 2fa. I learned that 2fa is any 2 of the following authentication methods:
Something you know (e.g. a password)
Something you have (e.g. an email address)
Something you are (e.g. biometrics)
I am storing my passwords in a password manager (keepass). Also I am using keepass to set up one-time passwords for some accounts. Keepass is storing the seeds of the OTP’s in its database.
If my keepass DB is compromised I am losing my pa… Continue reading Storing OTP seeds in password manager [duplicate]
There are tons of TOTP (2FA) Authenticators out there (for Windows, Android, iPhone …). However, in terms of security, what are the main characteristics that an app needs to meet to be called really secure? (For example, apps without ha… Continue reading What are characteristics of secure TOTP 2FA Authenticator
While reading about password breaches, it occurred to me; where are the TOTP shared secret breaches? Because TOTP relies on a shared secret (unlike say U2F) the server has a copy of the shared secret, which lends itself to the same vulnera… Continue reading Historical examples of breached TOTP secrets?
When using 2-factor-authentication using plain TOTP, the secret is stored on both the client and the server. This in turn means, that anyone with access to the database (and a key for it) knows the 2fa-secret of all the users. Why is this … Continue reading Using Public Key Cryptography for improving 2FA?
Is there any major flaw in using TOTP in a way where the server sends its time to the client when the client requests to log in? The advantage of this is the client’s time does not have to be set correctly, as it uses the time provided by … Continue reading TOTP, but share server time
I have a few terminals that I currently use a static IP to authenticate. The problem is in my country the internet is not stable, so often I have to switch to mobile data, then the terminals can’t authenticate because their IP addresses ch… Continue reading Is this a secure way of authenticating, advice on what to change?
I know that the concept of TOTP is for when the device on which the code is to be verified is separate from the device that is going to generate the code.
However, I was wondering if it is a bad idea to use the TOTP algorithm for generatin… Continue reading Does TOTP make sense for verification codes?
i am trying to implement google Authenticator mechanism in c++.
i always get different OTP than that of google authenticator.
i wonder why ?
1 – i searched and found that google uses HMAC-SHA1 algorithm. but i am suspecious because :
almo… Continue reading problem in implementing google authenticator app in c++ [migrated]