![]() ![]() Essentially, a very strong password is kept secure, and from this an easily-digestible temporary code is generated based on time. Crucially, it also contains an important secret – the cryptographic key that, along with a known time reference, is the foundation from which the codes are cryptographically generated. This may include some specifics about the length of the code to be generated, the timing to be used, the hash method being used, and where the code is intended to be used. The QR code itself contains just a few pieces of URI-encoded data. This is, typically, how we set up TOTP – we’re given a QR code which we photograph with our authenticator app, and suddenly we have TOTP codes. So what, then, is TOTP? Even if you know it isn’t A Google Thing, the mechanism by which a QR code turns into a steady stream of six-digit codes is not entirely obvious. Additionally, if you’re reading this and you currently implement TOTP on a site you manage or are planning to, I implore you to describe it accurately (including Google Authenticator as one of several options, if necessary) rather than feeding into the belief that the magical six-digit codes are a product of Alphabet. So the first order of business here is to clarify that whenever you see a site advertising 2FA via ‘Google Authenticator,’ what they actually mean is TOTP, or more accurately RFC 6238, an open standard 3. ![]() Getting an increasingly-vital, open standard to be almost exclusively associated with one shitty app from one shitty company is certainly very good for that company, but very bad for everyone else. I would hazard that most people who are aware of it know it exclusively as Google Authenticator. If you’ve made it this far without knowing what TOTP is, well, that’s almost certainly by design. This post, however, is more concerned with the matter of keeping your secret portable and within your control if you decide to use TOTP for 2FA. Personally, I prefer to use TOTP when available due to the risk of a SIM-swapping attack 2. User friction is a very real issue, and TOTP will always be more frictional than SMS I can’t solve that in this post.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |