←back to thread

TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)
274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0s | source
Show context
dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]
I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?
replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #
1. numpad0 ◴[27 Jul 24 14:36 UTC] No.41086875[source]
In classical proprietary implementations, the TOTP physical keychain is sent you out-of-band via snail mail. Secret is never sent to you electronically.

Modern phone app reimplementation do it in-band on-line, with hope that it has to be harder for opportunistic adversaries to capture that initial handshake.