If we assume that Time based OTP generates the OTP using the hash function like SHA-3. Then, the generated OTP would Hash(Secret, Shared time).
We want a shortened string rather than a full hash string, so truncation is needed.
But that hash…
I was wondering about the design of totp and 2fa. I learned that 2fa is any 2 of the following authentication methods:
Something you know (e.g. a password)
Something you have (e.g. an email address)
Something you are (e.g. biometrics)
Since the…
I am storing my passwords in a password manager (keepass). Also I am using keepass to set up one-time passwords for some accounts. Keepass is storing the seeds of the OTP's in its database.
If my keepass DB is compromised I am losing my passwords…
While reading about password breaches, it occurred to me; where are the TOTP shared secret breaches? Because TOTP relies on a shared secret (unlike say U2F) the server has a copy of the shared secret, which lends itself to the same vulnerability to…
Is there any major flaw in using TOTP in a way where the server sends its time to the client when the client requests to log in? The advantage of this is the client's time does not have to be set correctly, as it uses the time provided by the…
I have a few terminals that I currently use a static IP to authenticate. The problem is in my country the internet is not stable, so often I have to switch to mobile data, then the terminals can't authenticate because their IP addresses changes.
The…
I'm currently implementing 2FA and ask our users that login with their email/pass to enter their code when 2FA is enabled. This is all good.
But I also offer a "I forgot my password" access that sends a one-time login link by email to the user when…
I want to build a custom OTP implementation that utilizes the HOTP/TOTP algorithm.
I need to create several codes (one time passwords), which are all valid for the same time window in the future (e.g. five hours), but each code can only be used…
I'm currently learning about Time-based One-Time Password implementations (see RFC6283). I see that a shared secret is part of the algorithm.
This shared secret is exposed to the user (see example with Google Authenticator).
So I'd like to ask:
Why…
I'm implementing TOTP in my application to allow users to use two factor authentication with Google authenticator and the like.
However I've also implemented "social login" using OAuth, should the users be prompted for their TOTP codes when logging…
I recently got a Galaxy Watch and to get acquainted with developing apps for it I'm writing a simple two factor authenticator to generate TOTP codes from entered secrets using the Google Authenticator algorithm. I found this SQLite example for…
1Password sort of supports 2FA. We have a master password and an additional secret. But why don't they support TOTP for 2FA?
I just want to make really sure that unless I approve, no other devices can access my 1Password account.
Say someone put a…
What are the risks (if any) of sharing the TOTP codes?
I'm referring to the six-digit codes generated by Google Authenticator and the like. By "sharing old tokens" I'm thinking of posting online a list of, say, 10 consecutive codes I got (and the…
What happens if for some reason a cell phones clock / calendar is off by a significant amount of time? Does the TOTP (Time-based OTP) algorithm generate an invalid token? Also, do time zones play a role in the token being correct or does both the…