Collaborate Disseminate
i am trying to implement google Authenticator mechanism in c++.
i always get different OTP than that of google authenticator.
i wonder why ?
1 – i searched and found that google uses HMAC-SHA1 algorithm. but i am suspecious because :
almo… Continue reading problem in implementing google authenticator app in c++ [migrated]
I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc… Which is great for a device like this.
First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing… Continue reading Why would a U2F key be more secured than an OTP device?
In my country, the bank I use (and most other banks I know) rely solely on SMS 2-factor codes (which is obsolete authentication method) when logging-in, making payments, etc… and if you have your phone shut down, unavailable or battery … Continue reading Why do banks not implement more secure options, instead forcing archaic approaches? [closed]
If there is a widely accessible TOTP website (prototype: https://depperm.github.io/) that allows users to set a date and secret they can remember or a package that allows companies/developers to create their own domain/site specific tool, … Continue reading What are the security flaws in web based TOTP app?
Their 2FA to log in to their web interface requires two things:
something you know (PIN);
something you have (OTP, generated by app for example).
After that, you need to log in by:
input email address;
input PIN, in password field;
inpu… Continue reading How is mailbox.org 2FA method referred to as, correctly?
I would like to determine which combination of 2FA methods are the most secure, in the context of securing my website’s users. A standard website built with php/mysql/apache or nginx.
This also takes into account the usability and convenie… Continue reading Which 2FA combinations are the most secure going forward (for website authentication)? [closed]
RFC 6238 recommends the server to implement some form of resynchronization algorithm to account for time drift of the device used to generate the OTP. However, the RFC provides very little information on how to actually implement such a sy… Continue reading Securely detecting and correcting time drift for TOTP
This question has been asked previously, here. However, none of the answers there address the question. The accepted answer conflates Authy’s multi-device mode with its cloud backup feature. I am specifically not asking about the cloud bac… Continue reading How does Authy implement multi-device mode?
I’m currently implementing 2FA and ask our users that login with their email/pass to enter their code when 2FA is enabled. This is all good.
But I also offer a "I forgot my password" access that sends a one-time login link by ema… Continue reading Is 2FA required for one-time login links?
I’m in the process of implementing TOTP based on RFC6238.
The RFC’s recommend time step is 30 seconds.
However, for addressing a resynchronization problem that we have,
if I use a larger time step, 15 mins
or if my verifier verify the co… Continue reading TOTP – Larger Timesteps