←back to thread

Behind the 6-digit code: Building HOTP and TOTP from scratch

(blog.dogac.dev)
248 points dogacel | 4 comments | 11 Apr 25 13:06 UTC | HN request time: 0.439s | source
1. sksxihve ◴[15 Apr 25 17:52 UTC] No.43696212[source]
On a side note, does anyone know why banks still rely on sms 2fa codes instead of TOTP? Is there some regulatory issue that makes it more difficult?
replies(3): >>43696285 #>>43698896 #>>43699344 #
2. UncleMeat ◴[15 Apr 25 17:57 UTC] No.43696285[source]
Everybody with a phone has SMS baked in. SMS also has a recovery process if you drop your phone in the toilet. Ultimately, this improved user experience outweighs the security benefit to TOTP for many organizations.

TOTP also doesn't stop the biggest threat that SMS faces: phishing. Saving you from sim-swap attacks is just not a particular huge increase in security posture.

My bank at least offers TOTP as an option, but the huge majority of people are going to enroll with SMS.

3. Rygian ◴[15 Apr 25 21:56 UTC] No.43698896[source]
My two banks require additional approval via push notification to the phone app. No SMS involved.

(In France.)

4. dogacel ◴[15 Apr 25 22:47 UTC] No.43699344[source]
Some banks in Switzerland give customers a device that generates TOTP codes.