←back to thread

Behind the 6-digit code: Building HOTP and TOTP from scratch

(blog.dogac.dev)
248 points dogacel | 2 comments | 11 Apr 25 13:06 UTC | HN request time: 0.001s | source
1. unethical_ban ◴[15 Apr 25 15:08 UTC] No.43693887[source]
I always thought it odd that companies would spend so much money on services like Symantec VIP, with their proprietary BS and high costs, when someone could implement TOTP in 15 minutes as an internal service.

It's a little more complicated now with push notifications and more complex flows, but for generic TOTP?

replies(1): >>43696309 #
2. dogacel ◴[15 Apr 25 17:58 UTC] No.43696309[source]
Agree and disagree,

Deciding on how to store the credentials is still a hard task. Even storing the secret. Ideally it shouldn't stay as a plain text in your database. If you use cloud, something like KMS can be used for additional security. Also you should still consider replay attacks, rate limits etc.

I agree in the sense that TOTP is hard to implement, no it is not. I hope this article helped people understand how TOTP works.