(blog.dogac.dev)

248 points dogacel | 1 comments | 11 Apr 25 13:06 UTC | HN request time: 0.428s | source

Show context

notpushkin ◴[15 Apr 25 02:27 UTC] No.43688465[source]▶

> Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.

I’m pretty sure Facebook just makes up a random number and stores it?

replies(2): >>43688485 #>>43688851 #

1. SoftTalker ◴[15 Apr 25 02:32 UTC] No.43688485[source]▶

>>43688465 #

Yes if you’re sending the number to the user, might as well just be random that’s a lot easier.

Clocks and secrets only needed if the user is providing a number generated on the remote side.

↑

Behind the 6-digit code: Building HOTP and TOTP from scratch