Collaborate Disseminate
I’m currently learning about Time-based One-Time Password implementations (see RFC6283). I see that a shared secret is part of the algorithm.
This shared secret is exposed to the user (see example with Google Authenticator)…. Continue reading Securing shared key in TOTP Implementations
Are there any tangible improvements to gain from enabling TOTP (google-authenticator PAM plugin) over existing public key based SSH connections?
Does it make security sense to enable TOTP based Two-Factor auth for SSH into b… Continue reading Are there security advantages to adding an OTP to SSH connections?
Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using… Continue reading How are one-time password generators like Google Authenticator different from having two passwords?
Is there any security risk for an application allowing a user to register multiple TOTP devices for a single account?
I’ve noticed that with many popular accounts (gmail, github) you have the ability to register multiple sec… Continue reading Risks of allowing an account to register multiple TOTPs
If you have access to generated Time-based One-time Password (TOTP) values, is it theoretically possible to decode the secret key?
If yes, how much time and about how many generated values are needed?
Continue reading Can a Time-based One-time Password (TOTP) key be decoded from generated values?
Google authenticator uses HOTP and TOTP algorithm for TFA.
What is the basic working principle of DUO push? What brings security to DUO push?
Continue reading How does DUO push button method and other methods actually work?
I’m implementing TOTP in my application to allow users to use two factor authentication with Google authenticator and the like.
However I’ve also implemented “social login” using OAuth, should the users be prompted for their TOTP codes wh… Continue reading Should I use TOTP when using OAuth2
I recently got a Galaxy Watch and to get acquainted with developing apps for it I’m writing a simple two factor authenticator to generate TOTP codes from entered secrets using the Google Authenticator algorithm. I found this … Continue reading Two-factor authentication on Galaxy Watch – should secrets be encrypted, and is this SQLite example secure?
1Password sort of supports 2FA. We have a master password and an additional secret. But why don’t they support TOTP for 2FA?
I just want to make really sure that unless I approve, no other devices can access my 1Password acc… Continue reading Are there security issues in not supporting TOTP 2FA for 1Password? [on hold]
What are the risks (if any) of sharing the TOTP codes?
I’m referring to the six-digit codes generated by Google Authenticator and the like. By “sharing old tokens” I’m thinking of posting online a list of, say, 10 consecutiv… Continue reading Risks of sharing multiple, old TOTP codes?