(blog.dogac.dev)

248 points dogacel | 1 comments | 11 Apr 25 13:06 UTC | HN request time: 0.245s | source

Show context

notpushkin ◴[15 Apr 25 02:27 UTC] No.43688465[source]▶

> Also in some examples like Facebook's password recovery, this secret clock is not shared with the user directly but rather server's generated one-time password is sent via a trusted medium, such as an email to the user.

I’m pretty sure Facebook just makes up a random number and stores it?

replies(2): >>43688485 #>>43688851 #

dogacel ◴[15 Apr 25 03:59 UTC] No.43688851[source]▶

>>43688465 #

Good catch. In my mind storing that random number is similar to storing a plain-text password, thus I thought they were generating TOTPs. Let's hear from others how they implemented it.

replies(5): >>43688873 #>>43688969 #>>43689277 #>>43689772 #>>43690963 #

1. GoblinSlayer ◴[15 Apr 25 10:18 UTC] No.43690963[source]▶

>>43688851 #

The number is random, so there's no need to worry about plain storage.

↑

Behind the 6-digit code: Building HOTP and TOTP from scratch