🆕 blog! “The least secure TOTP code possible” If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP). As I've moaned about before, TOTP has never been […] - ThreadSky

About ThreadSky

Edent.mastodon.social.ap.brid.gy • 8 days ago

🆕 blog! “The least secure TOTP code possible”

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP).

As I've moaned about before, TOTP has never been […]

Comments

GavinChait.wandering.shop.ap.brid.gy•8 days ago

@Edent I experienced all this disbelief when implementing TOTP for my base stack. Plus that you can use better encryption to generate QR codes, but the various apps won't support it. So you're stuck with something that is better than nothing, but not by much.

Edent.mastodon.social.ap.brid.gy•8 days ago

@GavinChait which encryption were you interested in implementing?

GavinChait.wandering.shop.ap.brid.gy•7 days ago

@Edent I had to go look that up. It's been a while. I developed a base project stack for FastAPI using `passlib`. When you initialise the TOTP generator, you need a hash generator, & you can only use `SHA-1`. I found that interesting, along with all the other things you noted, like code length […]

Edent.mastodon.social.ap.brid.gy•7 days ago

@GavinChait hmm, not sure that's correct. The spec allows for 256 and 512 hashing algorithms.
https://www.rfc-editor.org/rfc/rfc6238#section-1.2

But I'll have to check if any apps support it.

GavinChait.wandering.shop.ap.brid.gy•7 days ago

@Edent yeah, it wasn't that you couldn't generate it, it was that many apps I tested didn't support it. And you can't force people to use a particular app. I ended up having to settle on `SHA-1` just to get it to work.

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply