On Tue, Aug 06, 2024 at 11:07:14PM +0700, Max Nikulin wrote: > On 06/08/2024 11:37, to...@tuxteam.de wrote: > > TOTP is a standard (rfc6238 [1]) so it actually/should/ give the same > > numbers regardless of the application. > > > > (This is what miffs me most: those marketing departments always sell you > > some unspecified snake oil -- "authenticator app", "2FA" -- instead of > > telling you what's technically behind it. > > It is mostly true, however authenticator applications may use > vendor-specific protocols that relies on network connection instead of > displaying TimeOTP code to confirm login. The worst case is when TOTP is > disabled for specific service and alternative applications can not be used.
I just today set up one more: it /was/ TOTP, after all. The instructions, of course didn't say so, but talked a lot about scanning the QR code with your smartphone (there is the TOTP key beneath this ready for c&p, but no mention of it). That's what I call nudging. > While passwords are salted and hashed to make it harder to steal them from > servers, ...but of course they must be stored in plain text in your password "vault". (OK, technically they may be encrypted, but usually the "vault" has a key) > the same approach is not applicable for TimeOTP. The same secret > must be available on client and server to derive a code valid for the > current (half of) minute. > > I am not recommending against TOTP. Just be aware that enabling and using it > may require more efforts than for application specific to particular vendor. Nor am I. It is a specific tool for a specific job -- my point is, that most of the time it's being pushed without really understanding what it affords. Cheers -- t
signature.asc
Description: PGP signature
