One key requirement for the one-time password is that each password should be used once only - the algorithm therefore needs some kind of variable element to generate a different OTP each time the user wants to log in. The secret key is provided by the website to the user in the QR code, both sides need to retain this secret key for one-time password generation (this key is stored within the authenticator). Here, the one-time password is the 6-digit token that the user sends to the website to get validated. Of course, in this case, you are also putting trust on the authenticator provider. The major difference among different authenticators is that some integrate with the cloud and upload an encrypted copy of your keys to their server, so you enjoy the convenience of accessing your tokens on multiple devices. Other authenticator apps like Authy, Duo Mobile, Lastpass, and 1Password all implement the same algorithms and are able to generate the exact same tokens you get from Google Authenticator. What Google Authenticator uses are the HMAC-Based One-time Password (HOTP) and Time-based One-time Password (TOTP) algorithms. Some sites specifically ask you to use Google Authenticator, you don’t have to. When you enable two-factor authentication on websites, they usually show you a QR code and ask you to scan and launch your authenticator app. I think it is a terrible idea to use them, you are basically collapsing all the factors back into one - your master password. Some password managers like LastPass and BitWarden provide authenticator functionality as well. Indeed, if you use the authenticator app on your smartphone you may also get the third factor for free, by needing to pass your smartphone’s biometric authentication before launching the authenticator app.
It has been known that passwords are not good enough.
0 kommentar(er)
