Subj : Google to turn on 2FA
To   : Arelor
From : August Abolins
Date : Thu Oct 07 2021 22:55:00

Hello Arelor!

** On Thursday 07.10.21 - 06:29, Arelor wrote to Ed Vance:

 A> I think Google is using TOTP, which does not require a
 A> phone number [...]

 A> The idea is that the TOTP device creates a One-Time-
 A> Password which is a function of the date (in seconds) and
 A> some cryptomaterial stored in the TOTP device. This means
 A> if you need to know your password for NOW you tell the
 A> device to produce it, and you get one, and the device only
 A> needs to have a copy of your OTP key material and a working
 A> clock.

 A> The server can verify the password is correct by performing
 A> the same operation, pretty much.

I learned this:

[1]

TOTP values can be phished like passwords, though this requires  
attackers to proxy the credentials in real time.[a]

[a] Umawing, Jovi (21 January 2019). "Has two-factor  
authentication been defeated? A spotlight on 2FA's latest  
challenge". Malwarebytes Labs. Archived from the original on 25  
September 2020. Retrieved 9 August 2020.

[2]

An attacker who steals the shared secret can generate new,
valid TOTP values at will. This can be a particular problem if
the attacker breaches a large authentication database.[b]

[b] Zetter, Kim. "RSA Agrees to Replace Security Tokens After
Admitting Compromise". WIRED. Archived from the original on 12
November 2020. Retrieved 17 February 2017.


I'd rather use SQRL.
--
  ../|ug

--- OpenXP 5.0.50
 * Origin: my little micronet point (618:510/1.1)

.