IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [totp]

Time-based One-time Password Algorithm

Time-based One-time Password Algorithm

77 questions
63
votes
2 answers

How are one-time password generators like Google Authenticator different from having two passwords?

Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the…
Ashwin
  • 1,607
  • 3
  • 18
  • 25
33
votes
1 answer

Storing TOTP secret in database, plaintext or encrypted?

I've been reading about 2FA and how it is used, and the thing that struck me most is that everyone seems to be storing the TOTP secret as plaintext in their database. I understand you need the secret as plaintext in order to verify the OTP, so you…
Y0lk
  • 431
  • 1
  • 4
  • 5
12
votes
2 answers

What happens if a (google authenticator) one time password QR code is leaked?

When there are QR codes for one time password (OTPs) urls (starting with otpauth://) that are supposed to be looked up in an authenticator app such as Google authenticator, what happens if a user accidentally open this QR code in a "normal" QR code…
SHL
  • 223
  • 1
  • 5
10
votes
2 answers

Is it a bad idea to have the user choose the TOTP secret instead of generating it automatically?

Reading about TOTP-based authentication systems that use smartphones as one-time code generators, I seem to understand that typically the shared secret is generated automatically by the "server" (the system to which the user must authenticate), then…
SantiBailors
  • 391
  • 2
  • 11
7
votes
3 answers

Do backup codes render 2FA useless?

I've been trying to implement 2FA for a web application, both server and client side. As everybody knows, an H/TOTP is intended to prove that I own something, for example through the use of an authenticator app installed on a mobile phone which will…
scola
  • 71
  • 2
7
votes
2 answers

Is accepting the current and the previous one-time password a bad practice?

I often see two-factor authentication (2FA) methods using one-time passwords (OTP) implementations wherein the current (previous) and sometimes even 2 or 3 previous tokens are still valid. This is probably done for several reasons, I can think…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
7
votes
2 answers

How many known time/result combinations does it take to guess a HOTP/TOTP secret?

I thought about "recovering", "determining", "guessing", "calculating" or "reproducing" the HOTP/TOTP secrets when only the outcome (6-digit code + time) is known. In case we can view the live creation of HOTP/TOTP codes without knowing the actual…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
6
votes
2 answers

How do I back up YubiKey-backed TOTP authentication?

I bought a YubiKey 5 NFC this week and have started using 2FA and U2F where I can but am deathly allergic to the idea of losing access. For backing up U2F access I'm going to buy a second U2F token (probably a YubiKey depending upon the answer to…
mas
  • 297
  • 2
  • 9
6
votes
2 answers

Best practices for handling wrong TOTP tokens

Assume a 2FA system with user-supplied passwords and 6 digit TOTP tokens. It is not possible to test a TOTP token without authenticating with a password first, so whoever submits a token is presumed to know the password. Each token is generated…
Jirka Hanika
  • 201
  • 1
  • 7
6
votes
1 answer

Two factor brute force protection

If I implement two factor authentication using TOTP, I (obviously) have to protect against simple brute force attacks of the TOTP value. If I ask for the TOTP value after successful password login, the attacker already knows the valid password.…
kelunik
  • 161
  • 4
5
votes
4 answers

Using Public Key Cryptography for improving 2FA?

When using 2-factor-authentication using plain TOTP, the secret is stored on both the client and the server. This in turn means, that anyone with access to the database (and a key for it) knows the 2fa-secret of all the users. Why is this…
Gamer2015
  • 707
  • 4
  • 12
5
votes
1 answer

Does TOTP make sense for verification codes?

I know that the concept of TOTP is for when the device on which the code is to be verified is separate from the device that is going to generate the code. However, I was wondering if it is a bad idea to use the TOTP algorithm for generating the…
yukashima huksay
  • 207
  • 1
  • 5
5
votes
1 answer

Securely detecting and correcting time drift for TOTP

RFC 6238 recommends the server to implement some form of resynchronization algorithm to account for time drift of the device used to generate the OTP. However, the RFC provides very little information on how to actually implement such a…
Emond Papegaaij
  • 51
  • 2
5
votes
1 answer

In a TOTP implementation, does there need to be an expiration policy for the user's secret key?

Background We're starting a project to add an additional authentication factor to our web application. This involves the creation of a TOTP (Time-Based One-Time Password) token that conforms to RFC 6238 (https://www.rfc-editor.org/rfc/rfc6238). This…
matt1616
  • 153
  • 4
5
votes
1 answer

How to get TOTP password with hmac sha 512 as hashing function?

ive never learned about javascript and network security before, but lately ive taken on some programming challange but i have to send my project link via http post request, and i have to figure the password, the authentication use TOTP with hmac sha…
gilang
  • 51
  • 1
  • 3
1
2 3 4 5 6