All Questions
Tagged with account-security one-time-password
13 questions
31
votes
2
answers
5k
views
What is the point of entering numbers in the two-factor authentication app?
Nowadays, 2FA apps usually require you to insert a number which you are presented with when trying to authenticate. For example, the following screenshot is from Microsoft Authenticator:
This is ...
- 569
1
vote
1
answer
171
views
Is using the computer for MFA safe?
Recently, I discovered that MFA apps just calculate that codes based on a private key and the time clock, so it's easy to use tools like gnu pass to replace those apps with your computer.
But what are ...
1
vote
0
answers
119
views
Is it necessary to have keep these 4 accounts separate from password manager?
Microsoft Authenticator requires an:
Outlook account
Verification account
iCloud account
The first two are required to set up the authenticator on a new device, the latter stores all the data to be ...
- 9
2
votes
0
answers
573
views
In forgotten password is asking user their TOTP among other details secure?
I have started to work on the Forgotten password feature on my website. Based on OWASP Forgot Password cheatsheet, the user should provide enough information to confirm that it is really them.
The ...
- 3,843
1
vote
2
answers
401
views
In case of TOTP code generation, why do products prefer a generic authenticator apps, such as Google Authenticator?
All the products supporting TOTP-based 2FA use one of the common authenticator apps such as Google Authenticator, Authy, etc.
I want to understand whether there are any security reasons behind why ...
- 11
3
votes
3
answers
1k
views
Password reset link vs Temporary password
Which is harder to exploit:
Password reset link with tokens/timestamps/code/ticket etc
Or, temporary password sent on user mail using which login can be done and password can be changed.
Any ...
- 31
16
votes
3
answers
6k
views
Am I generating email link tokens correctly?
I am developing a reliable system for token generation and validation used mainly for links in confirmation emails (reset password request, change email flow, activate an account, etc...).
There are ...
- 261
2
votes
1
answer
858
views
Security implications of auto-submitting OTP?
So the question was originally asked as a part of the UX question here.
My question is that, Are there any security risks involved when I auto-submit the OTP? Currently, I'm limiting the number of ...
- 123
1
vote
1
answer
664
views
Is it safe to receive (One Time Password) OTP to the Mobile where the online banking application is installed?
Assume a customer of a bank is using online banking facility and he is using an online banking application on mobile (android).
There could be a possibility that particular mobile could be ...
- 2,037
1
vote
1
answer
1k
views
Best practices to protect public/private SSH key pair in web interface?
I've got a dilemma here: I'm working on a system that will connect to remote linux servers for monitoring and automating some processes. Since user+pass is insecure for obvious reasons and public/...
- 139
22
votes
4
answers
4k
views
How secure are password managers with account recovery?
The major commercial password manager companies claim to have a "zero knowledge" system. This means the master password of the user is the only way to decrypt the data and it's is not stored anywhere. ...
- 441
20
votes
4
answers
5k
views
One Time Password Algorithm for Humans
Is there a one time password generation algorithm (based on predefined secret and a changing value/time/counter/etc) that is simple enough that it can be processed by an average human but safe enough ...
- 303
2
votes
1
answer
777
views
What are the security risks of resetting your password every time you login?
Is it a good idea in terms of security to reset your password every time you login and just fill your password with a bunch of random symbols, letters and words that you don't memorise?
Since ...
- 125