undefined | Better HN

0 pointsthaumasiotes5y ago0 comments

The seed is all you need. The device is unnecessary.

0 comments

5 comments · 2 top-level

nl5y ago· 2 in thread

Sure.

No need to be sarcrastic. He is absolutely right. The seed is all you need in case of the common TOTP algorithm. There is no connection to the device.

In fact, in Google Authenticator you can even conveniently export all running TOTP to another Google Authenticator without any connection with the apps or anything else whatsoever.

nl5y ago

That wasn't supposed to be sarcastic at all.

I was in total agreement with him - you can in theory run the algorithm by hand.

It isn't especially relevant though - 2-factor is "something you know, something you have". You need to have the hash.

hedora5y ago· 1 in thread

So, it’s a password.

All I need for password authentication is the password and a device that can generate a one time proof that I know the password.

TOTP just seems more secure because the password is never displayed to the end-user.

nl5y ago

It's not a password.

A password/passphrase/passcode is something you know.

A hash for a TOTP is something you have. 2 factor means something you know and something you have (or something you are): https://dis-blog.thalesgroup.com/security/2011/09/05/three-f...

(And yes in theory you could remember the hash, and have a custom TOTP client that lets you enter it in. But unless you do this it is a theoretical argument only).

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

nl5y ago· 2 in thread

Sure.

ascar5y ago

No need to be sarcrastic. He is absolutely right. The seed is all you need in case of the common TOTP algorithm. There is no connection to the device.

In fact, in Google Authenticator you can even conveniently export all running TOTP to another Google Authenticator without any connection with the apps or anything else whatsoever.

nl5y ago

That wasn't supposed to be sarcastic at all.

I was in total agreement with him - you can in theory run the algorithm by hand.

It isn't especially relevant though - 2-factor is "something you know, something you have". You need to have the hash.

hedora5y ago· 1 in thread

So, it’s a password.

All I need for password authentication is the password and a device that can generate a one time proof that I know the password.

TOTP just seems more secure because the password is never displayed to the end-user.

nl5y ago

It's not a password.

A password/passphrase/passcode is something you know.

A hash for a TOTP is something you have. 2 factor means something you know and something you have (or something you are): https://dis-blog.thalesgroup.com/security/2011/09/05/three-f...

(And yes in theory you could remember the hash, and have a custom TOTP client that lets you enter it in. But unless you do this it is a theoretical argument only).

j / k navigate · click thread line to collapse