TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)

274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0s | source

Show context

dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]▶

I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?

replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #

mercora ◴[27 Jul 24 07:35 UTC] No.41085035[source]▶

>>41085012 #

It's supposed to be on another independent device.

replies(1): >>41085052 #

deredede ◴[27 Jul 24 07:39 UTC] No.41085052[source]▶

>>41085035 #

Doesn't have to be. While storing them on your computer does not protect you from an adversary with access to your computer, it still protects you against an advrsaey e that intercepts (or guesses, maybe after a breach) your password.

replies(1): >>41085100 #

0x073 ◴[27 Jul 24 07:53 UTC] No.41085100{3}[source]▶

>>41085052 #

It doesnt have to be yes, but it's called 2 factor auth because of the reason that your computer is 1 factor and another device is 2.

It won't protect you from the intention 2fa was created.

replies(3): >>41085673 #>>41085747 #>>41085847 #

1. deltaknight ◴[27 Jul 24 11:27 UTC] No.41085847{4}[source]▶

>>41085100 #

For what it’s worth, whilst your point somewhat stands, generally just 2 devices are not considered 2 factors.

Usually, the factors are considered as:

- something you know (e.g a password)

- something you have (e.g. a device token)

- something you are (e.g. a fingerprint or other biometrics)

Single factor with uses just one of these, which is why you can unlock your phone with either a passcode and a biometric with the same level of security (when talking about factors)

Two factors should have two unique ones of these, and in this case a TOTP generator on the same computer as you are logging in on is fine because the computer counts as “something you have” and the password you enter counts as “something you know”. An attacker who takes your computer still only gains 1 factor (disregarding secure enclaves and password protection etc) and doesn’t have both.

Of course if an attackers manages to access both your password manager and your TOTP generator (whether or not they’re on the same device), then both factors are compromised because the “something you know” factor has been broken due to the things you know being stored somewhere.

Of course, the way you practice the security of each of the factors is important and can vary greatly depending on how you effort you want to put in to it. For instance, keeping TOTPs on just hardware tokens which you never keep plugged in protects against your device being stolen.

↑