Highest Voted 'totp' Questions - IT Security Stack Exchange

0

votes

0 answers

Why we need complicate truncation for the OTP?

If we assume that Time based OTP generates the OTP using the hash function like SHA-3. Then, the generated OTP would Hash(Secret, Shared time). We want a shortened string rather than a full hash string, so truncation is needed. But that hash…

asked Mar 15 '22 at 07:58

Curious_man

1
1

0

votes

1 answer

How is totp considered 2fa?

I was wondering about the design of totp and 2fa. I learned that 2fa is any 2 of the following authentication methods: Something you know (e.g. a password) Something you have (e.g. an email address) Something you are (e.g. biometrics) Since the…

multi-factor totp

asked Oct 12 '21 at 20:11

Bart

31
1

0

votes

1 answer

Storing OTP seeds in password manager

I am storing my passwords in a password manager (keepass). Also I am using keepass to set up one-time passwords for some accounts. Keepass is storing the seeds of the OTP's in its database. If my keepass DB is compromised I am losing my passwords…

password-management one-time-password keepass totp

asked Sep 29 '21 at 21:45

Michael S

101
1

0

votes

0 answers

Historical examples of breached TOTP secrets?

While reading about password breaches, it occurred to me; where are the TOTP shared secret breaches? Because TOTP relies on a shared secret (unlike say U2F) the server has a copy of the shared secret, which lends itself to the same vulnerability to…

totp breach historical

asked Jul 28 '21 at 20:47

user8187

141
1
6

0

votes

0 answers

TOTP, but share server time

Is there any major flaw in using TOTP in a way where the server sends its time to the client when the client requests to log in? The advantage of this is the client's time does not have to be set correctly, as it uses the time provided by the…

totp

asked Jun 02 '21 at 10:40

run_the_race

125
5

0

votes

1 answer

Is this a secure way of authenticating, advice on what to change?

I have a few terminals that I currently use a static IP to authenticate. The problem is in my country the internet is not stable, so often I have to switch to mobile data, then the terminals can't authenticate because their IP addresses changes. The…

one-time-password totp

asked Jun 02 '21 at 09:46

run_the_race

125
5

0

votes

1 answer

Is 2FA required for one-time login links?

I'm currently implementing 2FA and ask our users that login with their email/pass to enter their code when 2FA is enabled. This is all good. But I also offer a "I forgot my password" access that sends a one-time login link by email to the user when…

totp

asked Aug 24 '20 at 14:30

Cyril N.

2,649
2
18
28

0

votes

0 answers

Combine HOTP and TOTP

I want to build a custom OTP implementation that utilizes the HOTP/TOTP algorithm. I need to create several codes (one time passwords), which are all valid for the same time window in the future (e.g. five hours), but each code can only be used…

one-time-password totp hotp

asked Mar 02 '20 at 16:10

earthling

151
3

0

votes

1 answer

Securing shared key in TOTP Implementations

I'm currently learning about Time-based One-Time Password implementations (see RFC6283). I see that a shared secret is part of the algorithm. This shared secret is exposed to the user (see example with Google Authenticator). So I'd like to ask: Why…

multi-factor totp

asked Jun 02 '19 at 19:21

Gigi

1,280
1
11
12

0

votes

1 answer

How does DUO push button method and other methods actually work?

Google authenticator uses HOTP and TOTP algorithm for TFA. What is the basic working principle of DUO push? What brings security to DUO push?

multi-factor totp authenticator hotp

asked Feb 02 '19 at 01:14

Jay

3
2

0

votes

2 answers

Should I use TOTP when using OAuth2

I'm implementing TOTP in my application to allow users to use two factor authentication with Google authenticator and the like. However I've also implemented "social login" using OAuth, should the users be prompted for their TOTP codes when logging…

oauth2 totp

asked Jan 29 '19 at 14:00

NanoBob

1
2

0

votes

0 answers

Two-factor authentication on Galaxy Watch - should secrets be encrypted, and is this SQLite example secure?

I recently got a Galaxy Watch and to get acquainted with developing apps for it I'm writing a simple two factor authenticator to generate TOTP codes from entered secrets using the Google Authenticator algorithm. I found this SQLite example for…

encryption mobile databases multi-factor totp

asked Jan 21 '19 at 17:55

manfromscene24

1
1

0

votes

1 answer

Are there security issues in not supporting TOTP 2FA for 1Password?

1Password sort of supports 2FA. We have a master password and an additional secret. But why don't they support TOTP for 2FA? I just want to make really sure that unless I approve, no other devices can access my 1Password account. Say someone put a…

password-management totp

asked Oct 01 '18 at 05:01

user4234

139
8

0

votes

1 answer

Risks of sharing multiple, old TOTP codes?

What are the risks (if any) of sharing the TOTP codes? I'm referring to the six-digit codes generated by Google Authenticator and the like. By "sharing old tokens" I'm thinking of posting online a list of, say, 10 consecutive codes I got (and the…

totp

asked Sep 06 '18 at 15:03

mgarciaisaia

157
1
7

0

votes

2 answers

Does the TOTP Algorithm rely on the client time always being synced correctly?

What happens if for some reason a cell phones clock / calendar is off by a significant amount of time? Does the TOTP (Time-based OTP) algorithm generate an invalid token? Also, do time zones play a role in the token being correct or does both the…

token totp

asked Nov 09 '17 at 23:01

Ole

529
5
10

Questions tagged [totp]