this post was submitted on 05 Jun 2024
46 points (78.0% liked)
Open Source
31128 readers
431 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Wut. TOTP doesn't involve sending an OTP. That's the point.
"SMS-based TOTP" is a nonsensical phrase
"Time-based One-Time Password" literally says nothing about the delivery method. Who said it can't involve remote sending?
And what would you call it, then, SOTP?
Anyway, regardless of the terminology-nitpicking, my point still stands.
The point of being time based is to not send it. That's the whole point. To avoid that vecotor of attack.
Do you think the SMS codes are not time-based on the companies' ends? How are they deriving the digits, then?
They are not time based, correct.
Interesting, I didn't know that. So how do they derive the digits?
Best practice for a cryptographic nonce is to generate them randomly every time