Highest Voted 'hotp' Questions - IT Security Stack Exchange

7

votes

2 answers

How many known time/result combinations does it take to guess a HOTP/TOTP secret?

I thought about "recovering", "determining", "guessing", "calculating" or "reproducing" the HOTP/TOTP secrets when only the outcome (6-digit code + time) is known. In case we can view the live creation of HOTP/TOTP codes without knowing the actual…

asked Jun 20 '17 at 09:00

Bob Ortiz

6,234
8
43
90

5

votes

1 answer

Does TOTP make sense for verification codes?

I know that the concept of TOTP is for when the device on which the code is to be verified is separate from the device that is going to generate the code. However, I was wondering if it is a bad idea to use the TOTP algorithm for generating the…

one-time-password totp hotp

asked May 29 '21 at 18:18

yukashima huksay

207
1
5

4

votes

3 answers

What security considerations should I make when choosing a TOTP app?

One company now requires that I either use Authy or Google Authenticator. Supposedly these are safer than getting a text message, but I'm still seeing people complain about how dangerous these are. For instance, this article says that both Authy…

authentication totp hotp

asked Jun 01 '17 at 13:55

StopSigningMeOut

43
3

4

votes

1 answer

TOTP / HOTP - Offline 1 hour password generator

I need to generate and valid a password / token for an hour. Client -> generate password (valid for one hour) Server -> valid it within an hour. //System needs to work offline (TOTP) TOTP is normaly 30 seconds... So if i change the TOTP interval to…

encryption one-time-password totp hotp

asked Mar 09 '17 at 20:17

Stweet

143
2

3

votes

0 answers

One time password: combine time window and counter

I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP on this topic. You can…

one-time-password totp hotp

asked Nov 12 '19 at 13:52

earthling

151
3

2

votes

3 answers

Why would a U2F key be more secured than an OTP device?

I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this. First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the…

yubikey u2f totp fido hotp

asked Apr 07 '21 at 02:36

Max13

195
8

2

votes

3 answers

Is using the 2FA secret on the same machine as using the credentials, removing one factor of 2FA?

In other words: Is saving or using the two-factor authentication (2FA) secret on the same machine to generate one-time passwords (OTP), breaking the two-factor authentication (2FA) concept since it's all done on one machine. KeePass has some plugins…

multi-factor one-time-password keepass totp hotp

asked Jun 24 '16 at 10:30

Bob Ortiz

6,234
8
43
90

1

vote

1 answer

Does the lack of a secure channel really allow a replay attack to HOTP?

RFC 4226 on HOTP (7.1 Authentication Protocol Requirements) says RP3 - P [the protocol] SHOULD be implemented over a secure channel in order to protect users' privacy and avoid replay attacks. But isn't the basic idea of HOTP (and TOTP) not to…

man-in-the-middle hotp

asked Nov 05 '21 at 12:11

U. Windl

137
7

1

vote

3 answers

prevent/prohibit duplication of MFA software-token / ensure user identity

As I was unable to find any thread about this particular question, I'm trying to ask the community for help. We're currently using RSA RADIUS based 2FA to authenticate external VPN users from companies to let them manage their systems inside our…

authentication multi-factor radius totp hotp

asked May 22 '20 at 22:24

alphachris

19
4

1

vote

0 answers

How exactly do Fido Keys work?

Recently I acquired a security Fido key that allows me to use the U2F protocol on some of my accounts. Now I know that these keys use public/private keys for the specified account but I'm stuck on the logic of one part. How does the Fido Key know…

authentication u2f totp fido hotp

asked Jan 07 '18 at 04:24

NerdOfCode

133
3

1

vote

3 answers

Prevention of devices using same OTP secret

I have a requirement of OTP applications on mobile devices not sharing the same secret (even if the mobile devices are owned by the same user). A single secret must be present in a single device. Open source applications that implement OTP (like…

encryption cryptography one-time-password hotp

asked Jul 20 '17 at 15:25

rcorreia

155
5

1

vote

2 answers

How should the counter value for HOTPs be stored?

RFC4226 describes the HOTP algorithm to "based on an increasing counter value and a static symmetric key known only to the token and the validation service", specifically: HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)) How would one go about storing the…

one-time-password hotp

asked Nov 06 '16 at 10:47

monotonous

23
3

0

votes

0 answers

Combine HOTP and TOTP

I want to build a custom OTP implementation that utilizes the HOTP/TOTP algorithm. I need to create several codes (one time passwords), which are all valid for the same time window in the future (e.g. five hours), but each code can only be used…

one-time-password totp hotp

asked Mar 02 '20 at 16:10

earthling

151
3

0

votes

1 answer

How does DUO push button method and other methods actually work?

Google authenticator uses HOTP and TOTP algorithm for TFA. What is the basic working principle of DUO push? What brings security to DUO push?

multi-factor totp authenticator hotp

asked Feb 02 '19 at 01:14

Jay

3
2

0

votes

1 answer

Is using HOTP only authorization considered weak?

I have seen many experts advising usage of some kind of OTP as second step of 2FA schemes. I fully understand 2FA is more secure than Single Authorization, but it is also more inconvenient for a casual user. What about replacing passwords with HOTP…

authentication passwords password-policy account-security hotp

asked Sep 30 '18 at 13:22

ZioByte

217
1
7

Questions tagged [hotp]