fsebugoutzone.org:9999

       Post ATga4Vi4kV0TMh4RIe by ruario@social.vivaldi.net
 (DIR) More posts by ruario@social.vivaldi.net
 (DIR) Post #ATga4Vi4kV0TMh4RIe by ruario@social.vivaldi.net
       2023-03-16T21:17:34Z
       
       0 likes, 0 repeats
       
       I&#39;ve read a lot of discussion on various sites after Github announced requiring 2FA (two-factor authentication). Not long before that there was discussion after Twitter started to charge for SMS 2FA login support.Both times, there was confusion in particular with regards to #TOTP (Time-based One Time Password) Authenticator Apps, with plenty of invalid comments, some common ones being:• You need to use a smart phone• TOTP exposes your phone number• You are locked into a big-tech provider
       
 (DIR) Post #ATga4WeDGLVkH0Gruy by ruario@social.vivaldi.net
       2023-03-16T21:18:12Z
       
       0 likes, 0 repeats
       
       These are seemingly based on assumptions on how TOTP might work. TOTP authenticator apps actually work by taking a secret key (which is just a string of alphanumeric characters), then taking a note of the current time and combing these with a little &quot;fancy math&quot; to generate a one time password.Since only you (well your TOTP app) and the website you are logging into know the secret key, only you and the website can generate matching one time passwords. If the results are the same you are in.
       
 (DIR) Post #ATga4XIcq5pyILB8uO by ruario@social.vivaldi.net
       2023-03-16T21:18:27Z
       
       0 likes, 0 repeats
       
       People use mobile phones to run their TOTP app for two reasons• TOTP secret keys are often shared via QR. It is easy to scan your desktop screen with your phone (but you do not have to do this!)• Storing the secrets on your phone but logging in with your desktop makes your phone the second factor (it is separate from your desktop and any password manager you might run there).
       
 (DIR) Post #ATga4XrMkvcu25Qt3g by ruario@social.vivaldi.net
       2023-03-16T21:18:41Z
       
       0 likes, 0 repeats
       
       But you do not have to use a phone, since there are desktop TOTP apps, these can either scrap the screen to get the QR or they let you just type (or copy and paste) in the secret key manually.The site generates you a secret key and gives it to you via a QR code that your TOTP app (on your phone, PC, Mac, whatever) can scan or you type it in if you cannot use QR as a way to pass the secret across.
       
 (DIR) Post #ATga4YZg6B4WFWAH7w by ruario@social.vivaldi.net
       2023-03-16T21:19:06Z
       
       1 likes, 0 repeats
       
       To state this again, the TOTP apps needs nothing other than the secret key and an accurate source of time to generate a one time password. No internet connection, no calls home are required. Your phone number does not need to be exposed. The math can all be done on your device and a one time password is generated. In fact there are baseline implementations of TOTP (albeit without support for encrypting the secret keys) written in just 20 lines of Python.
       
 (DIR) Post #ATga4ZBxnphGAG4qno by ruario@social.vivaldi.net
       2023-03-16T21:19:24Z
       
       0 likes, 0 repeats
       
       P.S. I do not own a smartphone and yet I use TOTP daily for logins. 🤷🏼
       
 (DIR) Post #ATga4ZntWo2Q3tp8vQ by ruario@social.vivaldi.net
       2023-03-16T21:33:00Z
       
       1 likes, 0 repeats
       
       Oh and if I am totally honest with you about one year ago I also made many of those poor assumptions (mentioned in my first post). 😆