←back to thread

Behind the 6-digit code: Building HOTP and TOTP from scratch

(blog.dogac.dev)
248 points dogacel | 2 comments | 11 Apr 25 13:06 UTC | HN request time: 0.869s | source
1. coolThingsFirst ◴[15 Apr 25 16:31 UTC] No.43695209[source]
> Like the traditional password authentication approach, the user and the authority (server) still needs to agree on a common secret key.

Not sure what you mean by this, the server checks the hashed version of the password.

replies(2): >>43696261 #>>43717570 #
2. dogacel ◴[15 Apr 25 17:55 UTC] No.43696261[source]
Hashing is done before storing the secret on the server side. Therefore they still need to communicate regarding the intial secret.