Time-based One-time Password Algorithm
Time-based One-time Password Algorithm
Questions tagged [totp]
77 questions
5
votes
1 answer
Can two TOTP clients register at the same time and generate the same tokens?
Note that I'm not talking about systems like Authy, where you can log in to your account on multiple devices and sync your tokens between them -- I'm referring to two completely separate devices that have no knowledge of each other.
Consider the…
smitelli
- 2,035
- 3
- 15
- 19
4
votes
2 answers
Can a Time-based One-time Password (TOTP) key be decoded from generated values?
If you have access to generated Time-based One-time Password (TOTP) values, is it theoretically possible to decode the secret key?
If yes, how much time and about how many generated values are needed?
Majal
- 143
- 6
4
votes
1 answer
Strong unique passwords and TOTP 2FA
So I use a password manager with to generate a (strong) unique password for each and every site I have a username / password for.
For the ones that allow it I also enable TOTP (Time-based One-Time Password) 2TF.
This got me thinking.
Theoretically…
John
- 41
- 1
4
votes
3 answers
What security considerations should I make when choosing a TOTP app?
One company now requires that I either use Authy or Google Authenticator. Supposedly these are safer than getting a text message, but I'm still seeing people complain about how dangerous these are. For instance, this article says that both Authy…
StopSigningMeOut
- 43
- 3
4
votes
1 answer
TOTP / HOTP - Offline 1 hour password generator
I need to generate and valid a password / token for an hour.
Client -> generate password (valid for one hour)
Server -> valid it within an hour.
//System needs to work offline (TOTP)
TOTP is normaly 30 seconds... So if i change the TOTP interval to…
Stweet
- 143
- 2
3
votes
2 answers
Why make it difficult to disable MFA tokens?
Some websites make it easy to enrol multiple TOTP apps at the same time but make it difficult to disable these apps. For instance, the user would have to completely reset the MFA settings instead of just disabling one TOTP app, or the user would…
Alex
- 31
- 2
3
votes
2 answers
How do backup codes work in TOTP, like Google Authenticator?
My understanding is that in TOTPs are like HMAC where code is derived from time.
However, I am struggling to understand the concept of Backup Codes in Google Authenticator, and how are they calculated as they are not time sensitive and can be used…
blackbox007
- 81
- 3
3
votes
0 answers
One time password: combine time window and counter
I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP on this topic. You can…
earthling
- 151
- 3
3
votes
1 answer
Is it reasonable to store encrypted TOTP keys + authentication credentials on a single device (for end-user)?
My current security model (at least for passwords) is to store them encrypted at rest and use GPG (in combination with an Yubikey) to perform encryption / decryption. I'm using pass (https://www.passwordstore.org/) to help automate the process for…
Aea
- 173
- 3
3
votes
3 answers
What are dedicated TOTP devices called?
I would like to buy a device that can be provisioned with a secret seed and then displays a time based authentication token without ever revealing the seed.
As terms like 2FA, TOTP and Authenticator are almost guaranteed to only show up information…
user88348
3
votes
2 answers
Using the Symantec VIP Access smartphone software for 2FA
I'm most accustomed to using Google Authenticator / FreeOTP for my 2FA needs. This system allows me to have separate TOTP streams for each site and allows me to backup my seeds (by printing the QR codes used to set them up).
However, I've…
user3553031
- 143
- 1
- 7
3
votes
2 answers
Is there a way to create time based OTP with public/private key
I have a situation where I need time based OTP.
But most of the examples and cases I have seen, uses same key to create and check otp.
But I need something different. I want to create OTP using a public key, so that it can only be checked/decrypted…
dilettante_aficionado
- 169
- 1
- 9
3
votes
1 answer
How can I back up my iPhone without compromising my 2FA and master keys?
I've noticed that when I restore my old iPhone's backup to a new iPhone, 1Password's master-key (which is never supposed to leave the device 1Password is installed on, and you transfer manually), my TOTP credentials (in Google Authenticator or a…
ELLIOTTCABLE
- 275
- 2
- 9
3
votes
2 answers
IP Restricted OTP like Web Admin Authentication Safe or Not
I created a web admin panel with the following security implementation.
It is located on a sub directory of the web, which will trigger a 404 Error when tried to access (just like the link is broken or doesn't exist).
This (only if correct sub…
Sibidharan
- 250
- 1
- 7
2
votes
1 answer
Does sending TOTP code along with username and password defeat the purpose of 2FA?
Related: Implementation flow of MFA with TOTP
I'm trying to implement 2FA with TOTP in my web application.
The implementation I've looked at (the ASP.NET Core implementation of 2FA) does something like this:
Check if username and password are…
Acerbic
- 23
- 3