(blog.dogac.dev)

248 points dogacel | 1 comments | 11 Apr 25 13:06 UTC | HN request time: 0.232s | source

Show context

notpushkin ◴[15 Apr 25 02:27 UTC] No.43688465[source]▶

> Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.

I’m pretty sure Facebook just makes up a random number and stores it?

replies(2): >>43688485 #>>43688851 #

dogacel ◴[15 Apr 25 03:59 UTC] No.43688851[source]▶

>>43688465 #

Good catch. In my mind storing that random number is similar to storing a plain-text password, thus I thought they were generating TOTPs. Let's hear from others how they implemented it.

replies(5): >>43688873 #>>43688969 #>>43689277 #>>43689772 #>>43690963 #

1. lucb1e ◴[15 Apr 25 06:56 UTC] No.43689772[source]▶

>>43688851 #

What's the difference between storing a random number and storing the OTP secret? It's all ones and zeroes in a database

If you store the OTP secret in an HSM, then you can do the same when generating a random number. I'm not aware of anyone actually doing that though (I surely won't have seen even 1% of what's out there, but as a security consultant I get around at least a little bit)

↑

Behind the 6-digit code: Building HOTP and TOTP from scratch