undefined | Better HN

0 pointstialaramex5y ago0 comments

With TOTP it's very understandable to limit you to one authenticator as each additional authenticator makes it easier to attack you (meaningfully more guessed codes are now correct at any moment) and the UX is awful because there's no good way to discern one TOTP authenticator from another.

WebAuthn / U2F are explicitly designed to allow multiple authenticators. The W3C WebAuthn spec. explicitly calls out that you should allow users to register more than one authenticator, and might want to provide a nice way for your users to label them, e.g. "Yubikey", "iPhone", "Greg's key" or whatever. Every site I've used that offers WebAuthn does this correctly except AWS and you'd have to take that up with Amazon.

0 comments

2 comments · 2 top-level

dheera5y ago

> discern one TOTP authenticator from another

Just match the code the user entered against all registered authenticators. Limit the number of authenticators to maybe 3-4 per account.

jlgaddis5y ago

> ... each additional authenticator makes it easier to attack you (meaningfully more guessed codes are now correct at any moment) ...

That isn't really an issue with TOTP either (if properly implemented), as each authenticator has a unique identifier and seed.

I've got multiple authenticators set up on a PayPal account. When logging in, I simply select which of the authenticators I want to use and enter the code it gives me.

j / k navigate · click thread line to collapse