Behind the 6-digit code: Building HOTP and TOTP from scratch

(blog.dogac.dev)

248 points dogacel | 1 comments | 11 Apr 25 13:06 UTC | HN request time: 0.317s | source

Show context

notpushkin ◴[15 Apr 25 02:27 UTC] No.43688465[source]▶

> Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.

I’m pretty sure Facebook just makes up a random number and stores it?

replies(2): >>43688485 #>>43688851 #

dogacel ◴[15 Apr 25 03:59 UTC] No.43688851[source]▶

>>43688465 #

Good catch. In my mind storing that random number is similar to storing a plain-text password, thus I thought they were generating TOTPs. Let's hear from others how they implemented it.

replies(5): >>43688873 #>>43688969 #>>43689277 #>>43689772 #>>43690963 #

1. crdrost ◴[15 Apr 25 04:25 UTC] No.43688969[source]▶

>>43688851 #

So you are right that the random number becomes "password-like", but of course if you really care about that you don't need to store the exact random number, just as you don't have to store a raw password.

However, if your random login code is easily typable then it's usually drawn from a small enough keyspace that any such code is trivially brute-forceable. Like if it's decimal digits you need more than ten.

So in practice people just trust that you are on good terms with your email provider and anyone else with access to your email, and use other mechanisms to limit access to these codes from insiders.

↑