Is there any security risk for an application allowing a user to register multiple TOTP devices for a single account?
I've noticed that with many popular accounts (gmail, github) you have the ability to register multiple security tokens, but not…
We are thinking about enabling 2FA with Google Authenficator for all our services.
But the only concern for me now is that users will have to have a dedicated Authenticator's account for every service, let's say:
Github
AWS
Gmail
Jenkins
Maybe…
I was just reading around and found it really fascinating that Authy can use Google Authenticator implementations anywhere.
How does Authy does this? Isn't this a security risk?
Recently I acquired a security Fido key that allows me to use the U2F protocol on some of my accounts. Now I know that these keys use public/private keys for the specified account but I'm stuck on the logic of one part. How does the Fido Key know…
I am using Google Authenticator as a second factor on some sites, (including my Google Account).
Every now and then I need to produce a token to log in.
If some attacker received those tokens over time, would they become able to guess the internal…
For a frontend, i would like to implement MFA (with TOTP).
I may be searching for the wrong keywords but i couldn't find the proper way to implement securely this solution. I was searching for a diagram flow for example such as:
Request: POST to…
I was wondering about the security of TOTP codes.
Is there any cryptographic security around the secret to stop a user being able to guess the secret after capturing a variety of TOTP codes. For example:
Attacker sniffs creds on a targets network…
I've seen a number of 2 step website authentication methods out there. Some include two passwords, HOTP/TOTP, Yubikey, SMS to a phone number, etc. However, it seems like all of these systems rely on your computer or main device to not be…
I recently started using a TOTP fob to secure some of my cloud hosting accounts, and I'd likely to familiarize myself with possible attack vectors I should watch out for while I use this system (my previous experience is with U2F/YubiKeys, and not…
For example, given a Yubikey which generates OATH codes (such as with the command ykman oath accounts code 'accountname'), and two different accounts set up on that Yubikey, can a given website/provider (or two different sites under the control of a…
Which is more secure?
Authenticator apps don't seem easily hacked so long as you are on non-old software on a phone.
Yubikeys seem pretty secure, but do add some friction (extra thing to carry around)
Could the original or heavily modified Z3 Solver be used to get for example CD Keys generated from an algorithm?
What about TOTP?
What protection measures are/should be taken to protect the company assets and similar in this case?
I really hope…
In most common web applications that support multi-factor authentication the user is first prompted for their username and password, and only after a successful first authentication the user is prompted for their TOTP token.
Why is that? Are there…
I was signing up for an app for a credit card I have and I encountered an SMS 2FA format I had never seen before. The code was 47⅗ - that is two digits then capital Phi then the fraction three-fifths. To input there were on-screen buttons, 0 to 9…
For example Microsoft Outlook web based email service can be configured to require both a username/password combination and a time-based one-time password (TOTP) generated by the algorithm described in RFC 6238. This will frequently be implemented…