←back to thread

TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)
274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0s | source
Show context
dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]
I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?
replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #
mercora ◴[27 Jul 24 07:35 UTC] No.41085035[source]
It's supposed to be on another independent device.
replies(1): >>41085052 #
deredede ◴[27 Jul 24 07:39 UTC] No.41085052[source]
Doesn't have to be. While storing them on your computer does not protect you from an adversary with access to your computer, it still protects you against an advrsaey e that intercepts (or guesses, maybe after a breach) your password.
replies(1): >>41085100 #
0x073 ◴[27 Jul 24 07:53 UTC] No.41085100{3}[source]
It doesnt have to be yes, but it's called 2 factor auth because of the reason that your computer is 1 factor and another device is 2.

It won't protect you from the intention 2fa was created.

replies(3): >>41085673 #>>41085747 #>>41085847 #
1. joshribakoff ◴[27 Jul 24 10:44 UTC] No.41085673{4}[source]
E-mail or sms codes are not 2fa then either, if the attacker has your device (presumably with the e-mail app logged in already and the password saved). But this seems like a dubious distinction, its like saying 2fa is no longer 2fa if the attacker has access to the second factor. Thats not particularly remarkable.

You can call it 2sv, though. Two step verification. But a user can certainly chose to use in a way that makes it 2fa by storing the totp secret on a dedicated device. The bottom line for most use cases is that it stops people from getting in even if they guess or crack your password.

With hardware tokens, it still has tradeoffs. What happens when the “user” (read attacker) claims they lost or damaged the yubi key? What factor do you use to verify them before sending a new yubikey in the mail? What happens if someone breaks into the user’s mail? Etc. no method is perfect.