Note that I'm not talking about systems like Authy, where you can log in to your account on multiple devices and sync your tokens between them -- I'm referring to two completely separate devices that have no knowledge of each other.
Consider the…
If you have access to generated Time-based One-time Password (TOTP) values, is it theoretically possible to decode the secret key?
If yes, how much time and about how many generated values are needed?
So I use a password manager with to generate a (strong) unique password for each and every site I have a username / password for.
For the ones that allow it I also enable TOTP (Time-based One-Time Password) 2TF.
This got me thinking.
Theoretically…
One company now requires that I either use Authy or Google Authenticator. Supposedly these are safer than getting a text message, but I'm still seeing people complain about how dangerous these are. For instance, this article says that both Authy…
I need to generate and valid a password / token for an hour.
Client -> generate password (valid for one hour)
Server -> valid it within an hour.
//System needs to work offline (TOTP)
TOTP is normaly 30 seconds... So if i change the TOTP interval to…
Some websites make it easy to enrol multiple TOTP apps at the same time but make it difficult to disable these apps. For instance, the user would have to completely reset the MFA settings instead of just disabling one TOTP app, or the user would…
My understanding is that in TOTPs are like HMAC where code is derived from time.
However, I am struggling to understand the concept of Backup Codes in Google Authenticator, and how are they calculated as they are not time sensitive and can be used…
I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP on this topic. You can…
My current security model (at least for passwords) is to store them encrypted at rest and use GPG (in combination with an Yubikey) to perform encryption / decryption. I'm using pass (https://www.passwordstore.org/) to help automate the process for…
I would like to buy a device that can be provisioned with a secret seed and then displays a time based authentication token without ever revealing the seed.
As terms like 2FA, TOTP and Authenticator are almost guaranteed to only show up information…
I'm most accustomed to using Google Authenticator / FreeOTP for my 2FA needs. This system allows me to have separate TOTP streams for each site and allows me to backup my seeds (by printing the QR codes used to set them up).
However, I've…
I have a situation where I need time based OTP.
But most of the examples and cases I have seen, uses same key to create and check otp.
But I need something different. I want to create OTP using a public key, so that it can only be checked/decrypted…
I've noticed that when I restore my old iPhone's backup to a new iPhone, 1Password's master-key (which is never supposed to leave the device 1Password is installed on, and you transfer manually), my TOTP credentials (in Google Authenticator or a…
I created a web admin panel with the following security implementation.
It is located on a sub directory of the web, which will trigger a 404 Error when tried to access (just like the link is broken or doesn't exist).
This (only if correct sub…
Related: Implementation flow of MFA with TOTP
I'm trying to implement 2FA with TOTP in my web application.
The implementation I've looked at (the ASP.NET Core implementation of 2FA) does something like this:
Check if username and password are…