(blog.dogac.dev)

248 points dogacel | 4 comments | 11 Apr 25 13:06 UTC | HN request time: 0s | source

Show context

notpushkin ◴[15 Apr 25 02:27 UTC] No.43688465[source]▶

> Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.

I’m pretty sure Facebook just makes up a random number and stores it?

replies(2): >>43688485 #>>43688851 #

dogacel ◴[15 Apr 25 03:59 UTC] No.43688851[source]▶

>>43688465 #

Good catch. In my mind storing that random number is similar to storing a plain-text password, thus I thought they were generating TOTPs. Let's hear from others how they implemented it.

replies(5): >>43688873 #>>43688969 #>>43689277 #>>43689772 #>>43690963 #

1. inferiorhuman ◴[15 Apr 25 05:34 UTC] No.43689277[source]▶

>>43688851 #

I have to pull a number from Google Authenticator to log into my FB account so I can only assume they're not simply generating random numbers.

replies(2): >>43689293 #>>43689323 #

2. notpushkin ◴[15 Apr 25 05:36 UTC] No.43689293[source]▶

>>43689277 (TP) #

But they’re not sending you this number via email.

replies(1): >>43690003 #

3. dogacel ◴[15 Apr 25 05:42 UTC] No.43689323[source]▶

>>43689277 (TP) #

Two different flows, an online and an offline.

TOTP devices can be powered offline, which makes it extra secure, as you don't transfer any data around, possibility of leaking it is extremely low.

Random numbers could only work in online flow, where server sends you a one-time code using a secure communication method, such as a trusted phone number or email address.

4. inferiorhuman ◴[15 Apr 25 07:36 UTC] No.43690003[source]▶

>>43689293 #

Correct. Before they killed mbasic the prompt said they would text me a code, but in reality they were prompting for a TOTP code.

↑

Behind the 6-digit code: Building HOTP and TOTP from scratch