Collaborate Disseminate
Some websites make it easy to enrol multiple TOTP apps at the same time but make it difficult to disable these apps. For instance, the user would have to completely reset the MFA settings instead of just disabling one TOTP app, or the user… Continue reading Why make it difficult to disable MFA tokens?
As I was unable to find any thread about this particular question, I’m trying to ask the community for help.
We’re currently using RSA RADIUS based 2FA to authenticate external VPN users from companies to let them manage their systems ins… Continue reading prevent/prohibit duplication of MFA software-token / ensure user identity
All the products supporting TOTP-based 2FA use one of the common authenticator apps such as Google Authenticator, Authy, etc.
I want to understand whether there are any security reasons behind why the implementations prefer to use the ge… Continue reading In case of TOTP code generation, why do products prefer a generic authenticator apps, such as Google Authenticator?
There are standards for Time-based (TOTP) and Counter-based (HOTP) One Time Password schemes.
Generated OTPs are independent of the transactions they are used for, such as authorizing a login or a money transfer.
These are widely supporte… Continue reading Is there a standard for OTPs tied to transaction details (that has been implemented in apps/devices)?
My understanding is that in TOTPs are like HMAC where code is derived from time.
However, I am struggling to understand the concept of Backup Codes in Google Authenticator, and how are they calculated as they are not time sensitive and c… Continue reading How do backup codes work in TOTP, like Google Authenticator?
Let’s say I have a TOTP generator app (like Google Authenticator) installed on my smartphone. I use it for 2FA for service X. How bad is it if I log in to X’s website/dedicated app on the same smartphone? Would I gain anything by using an … Continue reading Is it unsecure to use TOTP codes on the device that generates them?
In TOTP implementations, it’s always suggested that you give your users recovery codes. Should I treat these like tokens? Display them once and hash them?
If so, I’d love to know why. If not, I’m curious too.
Continue reading How should I store TOTP recovery codes on the server end?
I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP… Continue reading One time password: combine time window and counter
I’ve been trying to implement 2FA for a web application, both server and client side. As everybody knows, an H/TOTP is intended to prove that I own something, for example through the use of an authenticator app installed on a… Continue reading Do backup codes render 2FA useless?
For MFA I now use Authy (owned by Twilio) instead of Google Authenticator. I find Authy more convenient because it syncs your accounts between several devices and several authy installations which Google Authenticator will not do. Authy al… Continue reading Is it safe to save a screenshot of my QR code?