undefined | Better HN

0 pointse12e2y ago0 comments

TOTP (Time-based one-time password) need a shared secret (and two synchronized clocks) to work, so yes.

FIDO2/WebAuthn relies on public key technology - so does also have a secret key - but is designed to be kept secret from the service/server one authenticates against.

For use - FIDO2 is more like a multi-use id. Like a driver's license many services accept as id. If you lose it - you don't restore a backup copy from a safe - you use your passport until you get a new one issued.

This makes more sense than with TOTP as the services only need your public key(id) on file.

https://en.wikipedia.org/wiki/Time-based_One-time_Password

https://en.m.wikipedia.org/wiki/WebAuthn

0 comments

rawgabbit2y ago

Which FIDO2 service do you recommend?

I get tired reading all these security articles. The more I read, the more I feel they are hiding something.

e12eOP2y ago

> Which FIDO2 service do you recommend?

Generally what comes with your phone and one or two hw tokens for backup? Looks like token2.com is a reasonable choice if you just want NFC/USBc and FIDO2 (and not storage for ssh/gpg keys). But I have little experience with hw keys.

1 more reply

j / k navigate · click thread line to collapse