←back to thread

TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)

274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0.203s | source

Show context

dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]▶

>>41081435 (OP) #

I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?

replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #

1. SyrupThinker ◴[27 Jul 24 07:40 UTC] No.41085055[source]▶

You are missing that the TOTP secret will only be presented once during setup.

It is now a second factor because you need to prove possession of the secret by entering the current TOTP code during login. It will not be presented again, so an attacker needs to have been able to intercept the initial secret exchange. (well or phish for it etc.)

You are usually prompted to enter the code during setup to ensure the secret has actually been put into some authenticator and is not immediately going to be lost.