←back to thread

TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)
274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0s | source
Show context
dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]
I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?
replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #
mercora ◴[27 Jul 24 07:35 UTC] No.41085035[source]
It's supposed to be on another independent device.
replies(1): >>41085052 #
deredede ◴[27 Jul 24 07:39 UTC] No.41085052[source]
Doesn't have to be. While storing them on your computer does not protect you from an adversary with access to your computer, it still protects you against an advrsaey e that intercepts (or guesses, maybe after a breach) your password.
replies(1): >>41085100 #
0x073 ◴[27 Jul 24 07:53 UTC] No.41085100{3}[source]
It doesnt have to be yes, but it's called 2 factor auth because of the reason that your computer is 1 factor and another device is 2.

It won't protect you from the intention 2fa was created.

replies(3): >>41085673 #>>41085747 #>>41085847 #
kevindamm ◴[27 Jul 24 11:02 UTC] No.41085747{4}[source]
The second factor isn't about a second device. It is additional to something you know (password), typically the second factor is something you have (device, yubikey, etc.).

The idea being that the intersection of {people who can get your password, such as through phishing or other digital attack} and {people who have physical proximity and can steal your physical device} are typically much smaller than the set of people in either category.

replies(2): >>41085812 #>>41085889 #
1. ◴[27 Jul 24 11:18 UTC] No.41085812{5}[source]