Highest Voted 'totp' Questions - IT Security Stack Exchange

1

vote

0 answers

Risks of allowing an account to register multiple TOTPs

Is there any security risk for an application allowing a user to register multiple TOTP devices for a single account? I've noticed that with many popular accounts (gmail, github) you have the ability to register multiple security tokens, but not…

totp

asked May 09 '19 at 01:29

Jeff Wong

11
1

1

vote

1 answer

MFA for multiple accounts?

We are thinking about enabling 2FA with Google Authenficator for all our services. But the only concern for me now is that users will have to have a dedicated Authenticator's account for every service, let's say: Github AWS Gmail Jenkins Maybe…

authentication multi-factor totp

asked Apr 16 '19 at 08:03

setevoy

111
3

1

vote

2 answers

How can Authy use Google Authenticator QR

I was just reading around and found it really fascinating that Authy can use Google Authenticator implementations anywhere. How does Authy does this? Isn't this a security risk?

authentication totp

asked Jan 30 '18 at 22:29

eKKiM

285
2
9

1

vote

0 answers

How exactly do Fido Keys work?

Recently I acquired a security Fido key that allows me to use the U2F protocol on some of my accounts. Now I know that these keys use public/private keys for the specified account but I'm stuck on the logic of one part. How does the Fido Key know…

authentication u2f totp fido hotp

asked Jan 07 '18 at 04:24

NerdOfCode

133
3

1

vote

0 answers

Does producing TOTP tokens weaken the stored secret? How much?

I am using Google Authenticator as a second factor on some sites, (including my Google Account). Every now and then I need to produce a token to log in. If some attacker received those tokens over time, would they become able to guess the internal…

authentication multi-factor totp authenticator

asked Jun 29 '17 at 09:17

Marcel

3,494
1
18
35

1

vote

4 answers

Implementation flow of MFA with TOTP

For a frontend, i would like to implement MFA (with TOTP). I may be searching for the wrong keywords but i couldn't find the proper way to implement securely this solution. I was searching for a diagram flow for example such as: Request: POST to…

multi-factor one-time-password totp

asked Feb 28 '17 at 15:39

jthemovie

11
2

1

vote

2 answers

How secure are TOTP codes?

I was wondering about the security of TOTP codes. Is there any cryptographic security around the secret to stop a user being able to guess the secret after capturing a variety of TOTP codes. For example: Attacker sniffs creds on a targets network…

cryptography one-time-password totp

asked Oct 13 '16 at 22:24

Sam Long

11
2

1

vote

2 answers

Why do I see 2FA but not see "two separate entities" being prioritized in website authentication?

I've seen a number of 2 step website authentication methods out there. Some include two passwords, HOTP/TOTP, Yubikey, SMS to a phone number, etc. However, it seems like all of these systems rely on your computer or main device to not be…

authentication http multi-factor totp

asked Jul 29 '16 at 15:22

Kent Shikama

171
1
5

1

vote

1 answer

Can an attacker extrapolate future codes based on past codes and their timestamps from a TOTP device?

I recently started using a TOTP fob to secure some of my cloud hosting accounts, and I'd likely to familiarize myself with possible attack vectors I should watch out for while I use this system (my previous experience is with U2F/YubiKeys, and not…

attack-vector totp

asked Jun 06 '16 at 22:50

Jules

1,240
1
10
20

0

votes

0 answers

Can different OATH accounts from the same 2FA code generator be associated?

For example, given a Yubikey which generates OATH codes (such as with the command ykman oath accounts code 'accountname'), and two different accounts set up on that Yubikey, can a given website/provider (or two different sites under the control of a…

one-time-password totp

asked Aug 05 '22 at 18:49

Pistos

101
2

0

votes

0 answers

Authenticator Apps vs. Yubikey

Which is more secure? Authenticator apps don't seem easily hacked so long as you are on non-old software on a phone. Yubikeys seem pretty secure, but do add some friction (extra thing to carry around)

multi-factor yubikey totp

asked Aug 01 '22 at 13:59

stk1234

142
5

0

votes

0 answers

Could the z3 solver be used to solve serial number generator algorithms, TOTPs and how to protect yourself against this?

Could the original or heavily modified Z3 Solver be used to get for example CD Keys generated from an algorithm? What about TOTP? What protection measures are/should be taken to protect the company assets and similar in this case? I really hope…

reverse-engineering protection algorithm totp z3

asked Jul 15 '22 at 18:13

Sir Muffington

1,447
2
9
22

0

votes

0 answers

Why not prompt for password and TOTP simultaneously?

In most common web applications that support multi-factor authentication the user is first prompted for their username and password, and only after a successful first authentication the user is prompted for their TOTP token. Why is that? Are there…

authentication multi-factor totp user-interface

asked Jun 28 '22 at 08:07

roelvanmeer

101
2

0

votes

1 answer

TOTP code with unicode character?

I was signing up for an app for a credit card I have and I encountered an SMS 2FA format I had never seen before. The code was 47⅗ - that is two digits then capital Phi then the fraction three-fifths. To input there were on-screen buttons, 0 to 9…

multi-factor totp unicode

asked Jun 22 '22 at 14:09

Ken Y-N

101
4

0

votes

0 answers

Is a TOTP with RFC 6238 and a password in a manager 2FA?

For example Microsoft Outlook web based email service can be configured to require both a username/password combination and a time-based one-time password (TOTP) generated by the algorithm described in RFC 6238. This will frequently be implemented…

authentication multi-factor totp

asked May 23 '22 at 11:24

User65535

121
3

Questions tagged [totp]