←back to thread

TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)
274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0.204s | source
Show context
dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]
I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?
replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #
1. deredede ◴[27 Jul 24 07:37 UTC] No.41085041[source]
GitHub sent you those 4 strings while you were logged in and they are now stored on your computer. GitHub will not send them to an attacker that is not already logged in.