←back to thread

TOTP tokens on my wrist with the smartest dumb watch

(blog.singleton.io)
274 points alexmolas | 3 comments | 26 Jul 24 19:20 UTC | HN request time: 0.001s | source
Show context
dvh ◴[27 Jul 24 07:30 UTC] No.41085012[source]
I used totp first time yesterday on GitHub and I don't understand it's point. I had to install otpclient app (from Ubuntu repository) where I typed 4 strings and it spit out one number which I typed back to GitHub. Attacker could do this as well, so the only thing totp does is to prove I can read and write. What am I missing here?
replies(5): >>41085035 #>>41085041 #>>41085055 #>>41085334 #>>41086875 #
mercora ◴[27 Jul 24 07:35 UTC] No.41085035[source]
It's supposed to be on another independent device.
replies(1): >>41085052 #
deredede ◴[27 Jul 24 07:39 UTC] No.41085052[source]
Doesn't have to be. While storing them on your computer does not protect you from an adversary with access to your computer, it still protects you against an advrsaey e that intercepts (or guesses, maybe after a breach) your password.
replies(1): >>41085100 #
0x073 ◴[27 Jul 24 07:53 UTC] No.41085100[source]
It doesnt have to be yes, but it's called 2 factor auth because of the reason that your computer is 1 factor and another device is 2.

It won't protect you from the intention 2fa was created.

replies(3): >>41085673 #>>41085747 #>>41085847 #
kevindamm ◴[27 Jul 24 11:02 UTC] No.41085747[source]
The second factor isn't about a second device. It is additional to something you know (password), typically the second factor is something you have (device, yubikey, etc.).

The idea being that the intersection of {people who can get your password, such as through phishing or other digital attack} and {people who have physical proximity and can steal your physical device} are typically much smaller than the set of people in either category.

replies(2): >>41085812 #>>41085889 #
PhilipRoman ◴[27 Jul 24 11:35 UTC] No.41085889[source]
>something you know (password)

Conveniently saved in your browser :) Might not be easy to extract from a logged-out device, but grabbing the device quickly can bypass both "factors" simultaneously.

Makes me wonder how functions like CryptProtectData protect against physical disk access with hex editor. The hash of the login password can be changed to anything and obviously they cannot access the actual password since it should be destroyed after hashing. So unless TPM is involved I don't see how it can be secure.

replies(2): >>41088625 #>>41088866 #
1. withinboredom ◴[27 Jul 24 19:48 UTC] No.41088866[source]
Even if the TPM is involved, it can be cracked. But as with any hack, once someone has physical access to your computer, all bets are off.

The odds of someone stealing your computer to hack into your accounts instead of simply selling it on eBay are practically zero for most people.

replies(1): >>41103095 #
2. fragmede ◴[29 Jul 24 19:41 UTC] No.41103095[source]
can it really? the abilities of TLAs is unknown, but RSA with a properly sized key isn't known to have many weaknesses. that doesn't mean there aren't any sidechannel attacks but your average thief isn't going to be able to break into an encrypted hard drive on any reasonable amount of time, even if they have physical possession of the device. Or so I'm lead to believe. if you have evidence to the contrary, I'd love to hear!
replies(1): >>41121775 #
3. withinboredom ◴[31 Jul 24 18:20 UTC] No.41121775[source]
https://hackaday.com/2024/02/06/beating-bitlocker-in-43-seco...

:)