- Six-digit verification codes for something like a "forgot password" flow are OTPs -- they're only good for one login -- but they are not HOTP/TOTPs. HOTP/TOTP has a registration step, where you copy a server-generated secret to your phone through a QR-code-encoded otpauth:// URI (https://github.com/google/google-authenticator/wiki/Key-Uri-...). That doesn't happen in a "forgot password" flow.
Incidentally, if you think of TOTP as being HMAC(unix mod 30, secret), one idea would be to do public key crypto instead of symmetric HMAC stuff. That's basically what a security key is.
If you additionally made it so that you couldn't phish the security key -- by having the OS + web browser know which apps can ask for which security keys -- you'd have reinvented WebAuthn.
P.S.: Make you sure you have stuffing protection in place against these kinds of six-digit-code auth schemes. A million possibilities is often acceptable for a secondary factor, but it's useless if attackers can just try all million codes.
Since they're in the thread, nice article 'dogacel! I've never seen an article on this that also took the time to dig into HMAC internals and that gnarly DT function.
by 3eb7988a1663
4 subcomments
- It is a bit terse, but there is a 20-line Python implementation which cleared up the ideas for me: https://github.com/susam/mintotp
by notpushkin
2 subcomments
- > Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.
I’m pretty sure Facebook just makes up a random number and stores it?
- Facebook's login/account recovery codes are not TOTP/HOTP, but are random numbers. Also, the author struggled to check their implementation. One can easily compare an implementation of many websites by grabbing the QR codes they use for login and importing into your favorite authenticator app and also decoding the QR code to get the secret. In theory your code should produce the same codes at the same time as the app.
- Very helpful article. I recently went down the TOTP rabbit hole and this article would have been great.
I run a suite of servers and setup scripts that go with them. I can create users and secret keys easily enough using our APIs, but I needed a way to generate TOTP codes on the fly. I got it working on my machine, but sharing it with others was a bit difficult because really the only "logic" was generating the secrets while everything else was static data and storing responses from the APIs.
I ended up making my own API to generate TOTP codes from secrets, <https://totpapi.com>. I try to make it clear it should only be used for testing, but it makes this kind of thing much easier for me. Maybe it will help someone else as well. :)
- Well I started reading, but then the page was blurred and blocked by a popup, so I only made it about a third down.
by DarkCrusader2
0 subcomment
- Another post which describes the TOTP concisely - https://drewdevault.com/2022/10/18/TOTP-is-easy.html
- Nice. I recommend RFC 4226 and RFC 6238 for those wanting to get their feet wet in reading RFCs and other specifications; they were the first RFCs I implemented (with others), and one of the first Rust projects I worked on.
by unethical_ban
1 subcomments
- I always thought it odd that companies would spend so much money on services like Symantec VIP, with their proprietary BS and high costs, when someone could implement TOTP in 15 minutes as an internal service.
It's a little more complicated now with push notifications and more complex flows, but for generic TOTP?
- A while back I created a fallback for use from my dotfiles that can be used from the command line: https://github.com/gbraad-dotfiles/upstream/blob/02deb3ef922... using zsh, openssl and xxd
This is not the first attempt I made. That was about 11 years ago with https://github.com/gbraad-apps/gauth using JavaScript as an application that would work on a Nokia Symbian/Maemo phone and as a webapp.
- And I put it like this
https://medium.com/@thatkid02/javascript-2-factor-authentica...
by jqpabc123
2 subcomments
- I implemented TOTP as a command line app doing lookup and generation by pulling secrets from a locally encrypted password file.
And before someone asks, the decrypt key is only stored in my head and the app fails silently after a significant delay if the decrypt fails.
What I don't get is how HOTP is anything but a fail waiting to happen if used across an unreliable network. Maybe this explains why I have yet to encounter a real world deployment of HOTP.
by coppsilgold
1 subcomments
- It's often a good idea to set up TOTP on accounts just because they may treat you differently due to having 2FA enabled. It would be harder to lose a gmail account to their "security" systems if you add TOTP to it for example. In the case of gmail adding it is a hassle involving devtools to emulate a hardware key first then add TOTP and then delete the hardware 2FA.
Some password managers such as KeepassXC have TOTP incorporated into them and you can have it available right next to the password. It may defeat the purpose of 2FA under some assumptions.
- https://github.com/pcarrier/gauth
by coolThingsFirst
2 subcomments
- > Like the traditional password authentication approach, the user and the authority (server) still needs to agree on a common secret key.
Not sure what you mean by this, the server checks the hashed version of the password.
- Thanks for the read, I learnt something about HOTP/TOTP today.
I would like to know why the clocks are all weird though - the numbers aren't in the right places. Were the images in this blog post "AI" generated?
- On a side note, does anyone know why banks still rely on sms 2fa codes instead of TOTP? Is there some regulatory issue that makes it more difficult?
by ajsnigrutin
1 subcomments
- What is it with modern web design... can't even read a third of the page, and they already want my email to subscribe...
by calvinmorrison
0 subcomment
- here's my small totp generator i use written in perl
https://git.ceux.org/totp-perl.git/tree/totp.pl
by coolThingsFirst
1 subcomments
- What is HMAC i still dont understand this part? Is it RSA encrytion?
by nikolayasdf123
0 subcomment
- yep, it is just couple lines of code and nice math behind it
by lhayward450
0 subcomment
- [dead]
Hacker News