Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's wrong with TOTP? Are you using that term in a technical sense to mean something specific or are you referring to any situation where someone needs to consult an app on a second device to receive a code to present to the first device?


It's clunky and it's not phishing resistant.


The way I think of it is: my browser’s password manager is the phishing-resistant portion of the system, and TOTP ensures that I am the one sitting at my browser.

Passkeys sound interesting, but I have a (perhaps incorrect) user-hostile big-tech lock-in feeling from them. I really could be wrong, but it feels like the intention is for us all to have to use accounts from Google, Microsoft, Facebook or Apple (maybe Mozilla, maybe), using browsers from Google, Microsoft or Apple (maybe Firefox), on OSes from Google, Microsoft or Apple.


Yes, that might be a strategic thinking of big tech. Still you can use third-party password managers like Bitwarden, KeePassXC or 1Password to take care of your passkeys. I think, for most non-technical users, they will go for the Apple/Google/Microsoft credential manager option but if you're more tech-savyy, there are ways to stay independent of big tech.


Agree. If I show my parents or great-parents TOTP, they're usually lost and hate it. Recently, I've seen a study that anyway +90% of users choose SMS OTP over TOTP.


Not phising resistant compared to what?

Bear in mind the saying: it's impossible to make anything foolproof because fools are so ingenious.


Compared to any phishing-resistant authentication protocol.


Such as?


FIDO2 (U2F security keys like the Yubikey or Passkeys) authenticates the server.


WebAuthn and related variants


How does a server using WebAuthn know that the client it is talking to is the right one? For example, say my bank wants to use WebAuthn instead of a username and password to let me access my account. How does the bank's server know that the public key I give it (via my browser) corresponds to my account?

Also, what if my device gets stolen? How do I prevent someone else from accessing my account, since the secret needed to do so is on the device, not with me?


1) They link the public key to your user account in their database.

2) Passkeys are 2FA by default. Someone needs to steal your phone where the private key is stored (first factor) and they would need your Face ID / Touch ID / PIN Code (second factor). Just loosing your phone doesn't give someone else the chance to use your passkey for authentication.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: