IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [totp]

Time-based One-time Password Algorithm

Time-based One-time Password Algorithm

77 questions
2
votes
3 answers

Why would a U2F key be more secured than an OTP device?

I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this. First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the…
Max13
  • 195
  • 8
2
votes
2 answers

How is mailbox.org 2FA method referred to as, correctly?

Their 2FA to log in to their web interface requires two things: something you know (PIN); something you have (OTP, generated by app for example). After that, you need to log in by: input email address; input PIN, in password field; input…
popsicleviscous
  • 35
  • 3
2
votes
2 answers

Is it safe to save a screenshot of my QR code?

For MFA I now use Authy (owned by Twilio) instead of Google Authenticator. I find Authy more convenient because it syncs your accounts between several devices and several authy installations which Google Authenticator will not do. Authy also…
Niklas Rosencrantz
  • 450
  • 5
  • 20
2
votes
1 answer

Are there security advantages to adding an OTP to SSH connections?

Are there any tangible improvements to gain from enabling TOTP (google-authenticator PAM plugin) over existing public key based SSH connections? Does it make security sense to enable TOTP based Two-Factor auth for SSH into bastion servers? I get…
eternaltyro
  • 817
  • 7
  • 16
2
votes
3 answers

Is using the 2FA secret on the same machine as using the credentials, removing one factor of 2FA?

In other words: Is saving or using the two-factor authentication (2FA) secret on the same machine to generate one-time passwords (OTP), breaking the two-factor authentication (2FA) concept since it's all done on one machine. KeePass has some plugins…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
2
votes
1 answer

TOTP: Storing symmetrical secrets

Is it just me or does TOTP for two factor auth seem like a step back to the days of digest auth where you have to store the symmetrical secret in a reversible manner. Passwords stored in plaintext were--and still are--rampant and there have been…
joshperry
  • 361
  • 1
  • 8
2
votes
1 answer

What is the benefit of using lastpass authenticator on android compared to other similar applications?

Lastpass recently (march 2016) released a new app called lastpass authenticator. Reading their blog post and the description of the app features, it looks like to me that the app does nothing more than TOTP. Now the algorithm for TOTP is well…
user48678
  • 233
  • 2
  • 7
2
votes
0 answers

Setting date/time to future on soft time-based one time password (TOTP) algorithms?

I am evaluating a two-factor authentication system that uses a time-based one-time password algorithm. This runs as an Android application. As you would expect, this seems to be using a seed and the current time to generate a one-time passcode. The…
Cybergibbons
  • 1,191
  • 2
  • 8
  • 21
1
vote
1 answer

What are the security flaws in web based TOTP app?

If there is a widely accessible TOTP website (prototype: https://depperm.github.io/) that allows users to set a date and secret they can remember or a package that allows companies/developers to create their own domain/site specific tool, what…
depperm
  • 113
  • 4
1
vote
0 answers

How does Authy implement multi-device mode?

This question has been asked previously, here. However, none of the answers there address the question. The accepted answer conflates Authy's multi-device mode with its cloud backup feature. I am specifically not asking about the cloud backup…
Tom Hunt
  • 283
  • 2
  • 5
1
vote
1 answer

TOTP - Larger Timesteps

I'm in the process of implementing TOTP based on RFC6238. The RFC's recommend time step is 30 seconds. However, for addressing a resynchronization problem that we have, if I use a larger time step, 15 mins or if my verifier verify the code in 30…
Sency
  • 111
  • 3
1
vote
3 answers

prevent/prohibit duplication of MFA software-token / ensure user identity

As I was unable to find any thread about this particular question, I'm trying to ask the community for help. We're currently using RSA RADIUS based 2FA to authenticate external VPN users from companies to let them manage their systems inside our…
alphachris
  • 19
  • 4
1
vote
2 answers

In case of TOTP code generation, why do products prefer a generic authenticator apps, such as Google Authenticator?

All the products supporting TOTP-based 2FA use one of the common authenticator apps such as Google Authenticator, Authy, etc. I want to understand whether there are any security reasons behind why the implementations prefer to use the generic…
supertramp
  • 11
  • 1
1
vote
1 answer

Is it unsecure to use TOTP codes on the device that generates them?

Let's say I have a TOTP generator app (like Google Authenticator) installed on my smartphone. I use it for 2FA for service X. How bad is it if I log in to X's website/dedicated app on the same smartphone? Would I gain anything by using an airgapped…
gronostaj
  • 1,290
  • 2
  • 10
  • 17
1
vote
1 answer

How should I store TOTP recovery codes on the server end?

In TOTP implementations, it's always suggested that you give your users recovery codes. Should I treat these like tokens? Display them once and hash them? If so, I'd love to know why. If not, I'm curious too.
Violet McKinney
  • 13
  • 4
1 2
3
4 5 6