←back to thread

Behind the 6-digit code: Building HOTP and TOTP from scratch

(blog.dogac.dev)
248 points dogacel | 1 comments | 11 Apr 25 13:06 UTC | HN request time: 0.239s | source
Show context
coolThingsFirst ◴[15 Apr 25 16:31 UTC] No.43695209[source]
> Like the traditional password authentication approach, the user and the authority (server) still needs to agree on a common secret key.

Not sure what you mean by this, the server checks the hashed version of the password.

replies(2): >>43696261 #>>43717570 #
1. dogacel ◴[15 Apr 25 17:55 UTC] No.43696261[source]
Hashing is done before storing the secret on the server side. Therefore they still need to communicate regarding the intial secret.