On 06/08/2024 11:37, to...@tuxteam.de wrote:
TOTP is a standard (rfc6238 [1]) so it actually/should/ give the same
numbers regardless of the application.
(This is what miffs me most: those marketing departments always sell you
some unspecified snake oil -- "authenticator app", "2FA" -- instead of
telling you what's technically behind it.
It is mostly true, however authenticator applications may use
vendor-specific protocols that relies on network connection instead of
displaying TimeOTP code to confirm login. The worst case is when TOTP is
disabled for specific service and alternative applications can not be used.
While passwords are salted and hashed to make it harder to steal them
from servers, the same approach is not applicable for TimeOTP. The same
secret must be available on client and server to derive a code valid for
the current (half of) minute.
I am not recommending against TOTP. Just be aware that enabling and
using it may require more efforts than for application specific to
particular vendor.
