(blog.dogac.dev)

248 points dogacel | 2 comments | 11 Apr 25 13:06 UTC | HN request time: 1.805s | source

Show context

notpushkin ◴[15 Apr 25 02:27 UTC] No.43688465[source]▶

> Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.

I’m pretty sure Facebook just makes up a random number and stores it?

replies(2): >>43688485 #>>43688851 #

dogacel ◴[15 Apr 25 03:59 UTC] No.43688851[source]▶

>>43688465 #

Good catch. In my mind storing that random number is similar to storing a plain-text password, thus I thought they were generating TOTPs. Let's hear from others how they implemented it.

replies(5): >>43688873 #>>43688969 #>>43689277 #>>43689772 #>>43690963 #

inferiorhuman ◴[15 Apr 25 05:34 UTC] No.43689277[source]▶

>>43688851 #

I have to pull a number from Google Authenticator to log into my FB account so I can only assume they're not simply generating random numbers.

replies(2): >>43689293 #>>43689323 #

1. notpushkin ◴[15 Apr 25 05:36 UTC] No.43689293[source]▶

>>43689277 #

But they’re not sending you this number via email.

replies(1): >>43690003 #

2. inferiorhuman ◴[15 Apr 25 07:36 UTC] No.43690003[source]▶

>>43689293 (TP) #

Correct. Before they killed mbasic the prompt said they would text me a code, but in reality they were prompting for a TOTP code.

↑

Behind the 6-digit code: Building HOTP and TOTP from scratch