bentobox19.eth pfp
bentobox19.eth
@bentobox19
Let's talk about 2FA and TOTP (Google Authenticator, Twilio Authy, etc) 🧵1/14
1 reply
0 recast
0 reaction

bentobox19.eth pfp
bentobox19.eth
@bentobox19
2FA stands for "Two Factor Authentication", that is, using two ways to authenticate yourself to a service. For example passwords is "Something you know", your cellphone is "Something you have". There is also "Something you are" (Biometrics). 2/14
1 reply
0 recast
0 reaction

bentobox19.eth pfp
bentobox19.eth
@bentobox19
Some people will tell you there is also "Somewhere you are" (Location-based authentication). This is not so simple to implement, though, so let's stick to "Something you know/have/are" 3/14
1 reply
0 recast
0 reaction

bentobox19.eth pfp
bentobox19.eth
@bentobox19
TOTP stands for "Time-Based One-Time Password Algorithm", and is derived from HOTP. Both defined at RFC 6238 and RFC 4226 https://datatracker.ietf.org/doc/html/rfc6238 https://datatracker.ietf.org/doc/html/rfc4226. 4/14
1 reply
0 recast
0 reaction

bentobox19.eth pfp
bentobox19.eth
@bentobox19
How it works? The service creates a secret and passes it to you, generally in the form of a QR code. Both have then a "shared secret". What you do when you want to authenticate is showing to the service that you HAVE this secret. 5/14
1 reply
0 recast
0 reaction

bentobox19.eth pfp
bentobox19.eth
@bentobox19
To protect this secret from prying eyes, what you and the service do, each at their side, is 1. taking this shared secret + the current timestamp 2. produce a hash, 3. truncate the hash to N digits, 4. you send the digits and the service compares it to what it's got. 6/14
1 reply
0 recast
0 reaction