undefined | Better HN

0 pointsthaumasiotes4y ago0 comments

The seed is all you need. The device is unnecessary.

0 comments

So, it’s a password.

All I need for password authentication is the password and a device that can generate a one time proof that I know the password.

TOTP just seems more secure because the password is never displayed to the end-user.

nl4y ago

It's not a password.

A password/passphrase/passcode is something you know.

A hash for a TOTP is something you have. 2 factor means something you know and something you have (or something you are): https://dis-blog.thalesgroup.com/security/2011/09/05/three-f...

(And yes in theory you could remember the hash, and have a custom TOTP client that lets you enter it in. But unless you do this it is a theoretical argument only).

nl4y ago

Sure.

ascar4y ago

No need to be sarcrastic. He is absolutely right. The seed is all you need in case of the common TOTP algorithm. There is no connection to the device.

In fact, in Google Authenticator you can even conveniently export all running TOTP to another Google Authenticator without any connection with the apps or anything else whatsoever.

nl4y ago

That wasn't supposed to be sarcastic at all.

I was in total agreement with him - you can in theory run the algorithm by hand.

It isn't especially relevant though - 2-factor is "something you know, something you have". You need to have the hash.

j / k navigate · click thread line to collapse

0 comments

hedora4y ago

So, it’s a password.

All I need for password authentication is the password and a device that can generate a one time proof that I know the password.

TOTP just seems more secure because the password is never displayed to the end-user.

nl4y ago

It's not a password.

A password/passphrase/passcode is something you know.

A hash for a TOTP is something you have. 2 factor means something you know and something you have (or something you are): https://dis-blog.thalesgroup.com/security/2011/09/05/three-f...

(And yes in theory you could remember the hash, and have a custom TOTP client that lets you enter it in. But unless you do this it is a theoretical argument only).

nl4y ago

Sure.

ascar4y ago

No need to be sarcrastic. He is absolutely right. The seed is all you need in case of the common TOTP algorithm. There is no connection to the device.

In fact, in Google Authenticator you can even conveniently export all running TOTP to another Google Authenticator without any connection with the apps or anything else whatsoever.

nl4y ago

That wasn't supposed to be sarcastic at all.

I was in total agreement with him - you can in theory run the algorithm by hand.

It isn't especially relevant though - 2-factor is "something you know, something you have". You need to have the hash.

j / k navigate · click thread line to collapse