←back to thread

Behind the 6-digit code: Building HOTP and TOTP from scratch

(blog.dogac.dev)
248 points dogacel | 3 comments | 11 Apr 25 13:06 UTC | HN request time: 2.157s | source
1. coppsilgold ◴[15 Apr 25 05:11 UTC] No.43689171[source]
It's often a good idea to set up TOTP on accounts just because they may treat you differently due to having 2FA enabled. It would be harder to lose a gmail account to their "security" systems if you add TOTP to it for example. In the case of gmail adding it is a hassle involving devtools to emulate a hardware key first then add TOTP and then delete the hardware 2FA.

Some password managers such as KeepassXC have TOTP incorporated into them and you can have it available right next to the password. It may defeat the purpose of 2FA under some assumptions.

replies(1): >>43689252 #
2. dogacel ◴[15 Apr 25 05:30 UTC] No.43689252[source]
I personally use 1Password with hardware keys where possible.

> It may defeat the purpose of 2FA

True, I think this as a mid-step of smooth transition from plain-text passwords to secure keys. You kinda get the benefit of both.

Also those apps are secured much better than a traditional password manager as browser auto-fill for example.

replies(1): >>43689632 #
3. coppsilgold ◴[15 Apr 25 06:33 UTC] No.43689632[source]
> I think this as a mid-step of smooth transition from plain-text passwords to secure keys.

This is not what I meant. Storing the TOTP next to the password means you don't really have 2FA as it's a single point of failure. Still better than nothing especially when the objective is what I stated in the first paragraph.