undefined | Better HN

0 pointsalkonaut6y ago0 comments

No I mean a physical thing like those little number generators that banks have had for what 20 years now, or the smartphone 2FA apps that we have used for at least 15 years.

I don't enter either a regular password nor one-time password for anything (not for transactions, not for login). I only use an identifying mechanism on a second device (a smartphone or a dedicated device). The secondary device has an 8digit pin though, so if it is stolen then it's not (immediately) compromising the security.

0 comments

3 comments · 1 top-level

sp3326y ago· 2 in thread

Yeah that is a one-time code. It's in the name: https://en.wikipedia.org/wiki/Time-based_One-time_Password_a... And again, if you use only this to log in, it's not two-factor authentication because it's only one factor. You'd have to combine it with something else (like a password or a fingerprint) to have two factors.

alkonautOP6y ago

The rsa OTP-digit generator thing is an OTP, but what about signing with a device that doesn't generate a visible OTP? My authenticator app just asks me to produce my pin into the smartphone app and then the waiting transaction completes automatically in the computer web browser.

I suppose it could be an OTP too, but just not "manually entered"?

Is there a name for this type of authentication? It's just one factor but I do it on a separate device I mean.

sp3326y ago

Oh I see. Yeah Microsoft's authenticator app can do that, but they use it as a second factor. I don't know the details but I'd guess that it's not time-based but some kind of challenge.

Another option is Tumblr's "magic link", where they email you a link that logs you in. That's one of the few places I've seen something like that used as a single factor.

j / k navigate · click thread line to collapse