(blog.singleton.io)

274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0.001s | source

Show context

dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]▶

I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?

replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #

1. jmprspret ◴[27 Jul 24 08:58 UTC] No.41085334[source]▶

>>41085012 #

> Attacker could do this as well,

No they cannot. They should not/will not be able to view that initial TOTP generation code. That is the "secret" that determines what digits are generated at one time.

↑

TOTP tokens on my wrist with the smartest dumb watch