How are one-time password generators like Google Authenticator different from having two passwords?How safe is Two Factor Authentication (TOTP)?In a TOTP implementation, does there need to be an expiration policy for the user's secret key?Why do I see 2FA but not see “two separate entities” being prioritized in website authentication?Multi-Single-Factor vs. Multi-Factor AuthenticationDoes producing TOTP tokens weaken the stored secret? How much?Does the existence of two-factor recovery codes mean that my 2-factor code isn't completely random?Does the TOTP Algorithm rely on the client time always being synced correctly?Storing TOTP secret in database, plaintext or encrypted?Is it reasonable to store encrypted TOTP keys + authentication credentials on a single device (for end-user)?Can a Time-based One-time Password (TOTP) key be decoded from generated values?

Why A=2 and B=1 in the call signs for Spirit and Opportunity?

Question about Shemot, locusts

Why is the Eisenstein ideal paper so great?

Why was this character made Grand Maester?

Count all vowels in string

What is to the west of Westeros?

Where is Jon going?

Is superuser the same as root?

The disk image is 497GB smaller than the target device

What is the use case for non-breathable waterproof pants?

Is keeping the forking link on a true fork necessary (Github/GPL)?

Why'd a rational buyer offer to buy with no conditions precedent?

Why did it take so long for Germany to allow electric scooters / e-rollers on the roads?

Are there historical examples of audiences drawn to a work that was "so bad it's good"?

Why does Bran want to find Drogon?

How does the Earth's center produce heat?

Why did other houses not demand this?

What is the function of は in the context?

Why does the painters tape have to be blue?

What is Orcus doing with Mind Flayers in the art on the last page of Volo's Guide to Monsters?

Did significant numbers of Japanese officers escape prosecution during the Tokyo Trials?

"Official wife" or "Formal wife"?

Flatten not working

Testing using real data of the customer



How are one-time password generators like Google Authenticator different from having two passwords?


How safe is Two Factor Authentication (TOTP)?In a TOTP implementation, does there need to be an expiration policy for the user's secret key?Why do I see 2FA but not see “two separate entities” being prioritized in website authentication?Multi-Single-Factor vs. Multi-Factor AuthenticationDoes producing TOTP tokens weaken the stored secret? How much?Does the existence of two-factor recovery codes mean that my 2-factor code isn't completely random?Does the TOTP Algorithm rely on the client time always being synced correctly?Storing TOTP secret in database, plaintext or encrypted?Is it reasonable to store encrypted TOTP keys + authentication credentials on a single device (for end-user)?Can a Time-based One-time Password (TOTP) key be decoded from generated values?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








60















Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the current timestamp, a new password is generated every 30 seconds.



If anyone has the shared key, then they can generate the OTP themselves using the TOTP algorithm. Isn't this similar to a password? Doesn't it get reduced to having two passwords - One is the password that you use to login and the other is the shared key between you and the server?






multi-factor google totp







share|improve this question
























  • The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like FIDO2.

    – JimmyJames
    May 10 at 16:14


















60















Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the current timestamp, a new password is generated every 30 seconds.



If anyone has the shared key, then they can generate the OTP themselves using the TOTP algorithm. Isn't this similar to a password? Doesn't it get reduced to having two passwords - One is the password that you use to login and the other is the shared key between you and the server?






multi-factor google totp







share|improve this question
























  • The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like FIDO2.

    – JimmyJames
    May 10 at 16:14














60












60








60


11






Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the current timestamp, a new password is generated every 30 seconds.



If anyone has the shared key, then they can generate the OTP themselves using the TOTP algorithm. Isn't this similar to a password? Doesn't it get reduced to having two passwords - One is the password that you use to login and the other is the shared key between you and the server?






multi-factor google totp







share|improve this question
















Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the current timestamp, a new password is generated every 30 seconds.



If anyone has the shared key, then they can generate the OTP themselves using the TOTP algorithm. Isn't this similar to a password? Doesn't it get reduced to having two passwords - One is the password that you use to login and the other is the shared key between you and the server?






multi-factor google totp




multi-factor google totp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 9 at 13:19









Machavity

2,399620




2,399620










asked May 9 at 3:08









AshwinAshwin

86731423




86731423












  • The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like FIDO2.

    – JimmyJames
    May 10 at 16:14


















  • The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like FIDO2.

    – JimmyJames
    May 10 at 16:14

















The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like FIDO2.

– JimmyJames
May 10 at 16:14






The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like FIDO2.

– JimmyJames
May 10 at 16:14











2 Answers
2






active

oldest

votes


















98














Passwords are revealed every time you use them: if you have two passwords and you type them into a fraudulent web form, they are both stolen.



The shared secret can't be calculated from a single OTP (or even from a set of them**), so a stolen OTP is only valid for limited time. The shared secret is never transferred during the authentication, so stealing it requires a different attack vector: access to the device where it is kept or copying it (e.g. its QR code) during the initialization.



** Calculating shared secrets backwards would be very impractical, as it's a one-way algorithm. Also, the minimum key length is 128 bits and the algorithm produces only 6 numbers i.e. ~20 bit OTP. This means for every OTP there would be oceans of potential shared secrets, and finding even a single match would only be possible with brute force i.e. calculating 2^128 hashes for every 30 seconds and ruling out every OTP that didn't match.






share|improve this answer




















  • 2





    Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

    – kjack
    May 9 at 8:50












  • @kjack: The comment would have been too long, so I just edited it to my answer.

    – Esa Jokinen
    May 9 at 9:05






  • 7





    @kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

    – A. Hersean
    May 9 at 9:12







  • 14





    At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

    – Esa Jokinen
    May 9 at 9:15







  • 4





    @kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

    – Cort Ammon
    May 9 at 16:07



















-8














OTPs are a way of not needing trusting someone with your password when you require them to know something of it (like that you have knowledge of it). In most implementations this is way things work anyway. Passwords are not passed around the net. Salted hashed passwords are. The problem is you don't necessarily trust that that's how everyone is doing things. Services such as google's just take that step away from the place your logging into and do it themselves.



So you're correct. The same things happen, nothing really changes. The only difference is who you trust, but that can be important.






share|improve this answer


















  • 24





    "Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

    – AndrolGenhald
    May 9 at 14:48






  • 4





    This is based on personal conception, but it's not backed up by the facts.

    – Esa Jokinen
    May 9 at 19:50







  • 9





    This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

    – Kevin
    May 10 at 3:09











  • This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

    – securityOrange
    May 11 at 19:48











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209812%2fhow-are-one-time-password-generators-like-google-authenticator-different-from-ha%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









98














Passwords are revealed every time you use them: if you have two passwords and you type them into a fraudulent web form, they are both stolen.



The shared secret can't be calculated from a single OTP (or even from a set of them**), so a stolen OTP is only valid for limited time. The shared secret is never transferred during the authentication, so stealing it requires a different attack vector: access to the device where it is kept or copying it (e.g. its QR code) during the initialization.



** Calculating shared secrets backwards would be very impractical, as it's a one-way algorithm. Also, the minimum key length is 128 bits and the algorithm produces only 6 numbers i.e. ~20 bit OTP. This means for every OTP there would be oceans of potential shared secrets, and finding even a single match would only be possible with brute force i.e. calculating 2^128 hashes for every 30 seconds and ruling out every OTP that didn't match.






share|improve this answer




















  • 2





    Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

    – kjack
    May 9 at 8:50












  • @kjack: The comment would have been too long, so I just edited it to my answer.

    – Esa Jokinen
    May 9 at 9:05






  • 7





    @kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

    – A. Hersean
    May 9 at 9:12







  • 14





    At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

    – Esa Jokinen
    May 9 at 9:15







  • 4





    @kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

    – Cort Ammon
    May 9 at 16:07
















98














Passwords are revealed every time you use them: if you have two passwords and you type them into a fraudulent web form, they are both stolen.



The shared secret can't be calculated from a single OTP (or even from a set of them**), so a stolen OTP is only valid for limited time. The shared secret is never transferred during the authentication, so stealing it requires a different attack vector: access to the device where it is kept or copying it (e.g. its QR code) during the initialization.



** Calculating shared secrets backwards would be very impractical, as it's a one-way algorithm. Also, the minimum key length is 128 bits and the algorithm produces only 6 numbers i.e. ~20 bit OTP. This means for every OTP there would be oceans of potential shared secrets, and finding even a single match would only be possible with brute force i.e. calculating 2^128 hashes for every 30 seconds and ruling out every OTP that didn't match.






share|improve this answer




















  • 2





    Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

    – kjack
    May 9 at 8:50












  • @kjack: The comment would have been too long, so I just edited it to my answer.

    – Esa Jokinen
    May 9 at 9:05






  • 7





    @kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

    – A. Hersean
    May 9 at 9:12







  • 14





    At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

    – Esa Jokinen
    May 9 at 9:15







  • 4





    @kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

    – Cort Ammon
    May 9 at 16:07














98












98








98







Passwords are revealed every time you use them: if you have two passwords and you type them into a fraudulent web form, they are both stolen.



The shared secret can't be calculated from a single OTP (or even from a set of them**), so a stolen OTP is only valid for limited time. The shared secret is never transferred during the authentication, so stealing it requires a different attack vector: access to the device where it is kept or copying it (e.g. its QR code) during the initialization.



** Calculating shared secrets backwards would be very impractical, as it's a one-way algorithm. Also, the minimum key length is 128 bits and the algorithm produces only 6 numbers i.e. ~20 bit OTP. This means for every OTP there would be oceans of potential shared secrets, and finding even a single match would only be possible with brute force i.e. calculating 2^128 hashes for every 30 seconds and ruling out every OTP that didn't match.






share|improve this answer















Passwords are revealed every time you use them: if you have two passwords and you type them into a fraudulent web form, they are both stolen.



The shared secret can't be calculated from a single OTP (or even from a set of them**), so a stolen OTP is only valid for limited time. The shared secret is never transferred during the authentication, so stealing it requires a different attack vector: access to the device where it is kept or copying it (e.g. its QR code) during the initialization.



** Calculating shared secrets backwards would be very impractical, as it's a one-way algorithm. Also, the minimum key length is 128 bits and the algorithm produces only 6 numbers i.e. ~20 bit OTP. This means for every OTP there would be oceans of potential shared secrets, and finding even a single match would only be possible with brute force i.e. calculating 2^128 hashes for every 30 seconds and ruling out every OTP that didn't match.







share|improve this answer














share|improve this answer



share|improve this answer








edited May 9 at 9:14

























answered May 9 at 4:44









Esa JokinenEsa Jokinen

4,6261623




4,6261623







  • 2





    Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

    – kjack
    May 9 at 8:50












  • @kjack: The comment would have been too long, so I just edited it to my answer.

    – Esa Jokinen
    May 9 at 9:05






  • 7





    @kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

    – A. Hersean
    May 9 at 9:12







  • 14





    At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

    – Esa Jokinen
    May 9 at 9:15







  • 4





    @kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

    – Cort Ammon
    May 9 at 16:07













  • 2





    Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

    – kjack
    May 9 at 8:50












  • @kjack: The comment would have been too long, so I just edited it to my answer.

    – Esa Jokinen
    May 9 at 9:05






  • 7





    @kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

    – A. Hersean
    May 9 at 9:12







  • 14





    At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

    – Esa Jokinen
    May 9 at 9:15







  • 4





    @kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

    – Cort Ammon
    May 9 at 16:07








2




2





Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

– kjack
May 9 at 8:50






Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about.

– kjack
May 9 at 8:50














@kjack: The comment would have been too long, so I just edited it to my answer.

– Esa Jokinen
May 9 at 9:05





@kjack: The comment would have been too long, so I just edited it to my answer.

– Esa Jokinen
May 9 at 9:05




7




7





@kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

– A. Hersean
May 9 at 9:12






@kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future.

– A. Hersean
May 9 at 9:12





14




14





At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

– Esa Jokinen
May 9 at 9:15






At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never.

– Esa Jokinen
May 9 at 9:15





4




4





@kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

– Cort Ammon
May 9 at 16:07






@kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself.

– Cort Ammon
May 9 at 16:07














-8














OTPs are a way of not needing trusting someone with your password when you require them to know something of it (like that you have knowledge of it). In most implementations this is way things work anyway. Passwords are not passed around the net. Salted hashed passwords are. The problem is you don't necessarily trust that that's how everyone is doing things. Services such as google's just take that step away from the place your logging into and do it themselves.



So you're correct. The same things happen, nothing really changes. The only difference is who you trust, but that can be important.






share|improve this answer


















  • 24





    "Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

    – AndrolGenhald
    May 9 at 14:48






  • 4





    This is based on personal conception, but it's not backed up by the facts.

    – Esa Jokinen
    May 9 at 19:50







  • 9





    This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

    – Kevin
    May 10 at 3:09











  • This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

    – securityOrange
    May 11 at 19:48















-8














OTPs are a way of not needing trusting someone with your password when you require them to know something of it (like that you have knowledge of it). In most implementations this is way things work anyway. Passwords are not passed around the net. Salted hashed passwords are. The problem is you don't necessarily trust that that's how everyone is doing things. Services such as google's just take that step away from the place your logging into and do it themselves.



So you're correct. The same things happen, nothing really changes. The only difference is who you trust, but that can be important.






share|improve this answer


















  • 24





    "Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

    – AndrolGenhald
    May 9 at 14:48






  • 4





    This is based on personal conception, but it's not backed up by the facts.

    – Esa Jokinen
    May 9 at 19:50







  • 9





    This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

    – Kevin
    May 10 at 3:09











  • This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

    – securityOrange
    May 11 at 19:48













-8












-8








-8







OTPs are a way of not needing trusting someone with your password when you require them to know something of it (like that you have knowledge of it). In most implementations this is way things work anyway. Passwords are not passed around the net. Salted hashed passwords are. The problem is you don't necessarily trust that that's how everyone is doing things. Services such as google's just take that step away from the place your logging into and do it themselves.



So you're correct. The same things happen, nothing really changes. The only difference is who you trust, but that can be important.






share|improve this answer













OTPs are a way of not needing trusting someone with your password when you require them to know something of it (like that you have knowledge of it). In most implementations this is way things work anyway. Passwords are not passed around the net. Salted hashed passwords are. The problem is you don't necessarily trust that that's how everyone is doing things. Services such as google's just take that step away from the place your logging into and do it themselves.



So you're correct. The same things happen, nothing really changes. The only difference is who you trust, but that can be important.







share|improve this answer












share|improve this answer



share|improve this answer










answered May 9 at 14:40









ANoneANone

2324




2324







  • 24





    "Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

    – AndrolGenhald
    May 9 at 14:48






  • 4





    This is based on personal conception, but it's not backed up by the facts.

    – Esa Jokinen
    May 9 at 19:50







  • 9





    This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

    – Kevin
    May 10 at 3:09











  • This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

    – securityOrange
    May 11 at 19:48












  • 24





    "Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

    – AndrolGenhald
    May 9 at 14:48






  • 4





    This is based on personal conception, but it's not backed up by the facts.

    – Esa Jokinen
    May 9 at 19:50







  • 9





    This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

    – Kevin
    May 10 at 3:09











  • This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

    – securityOrange
    May 11 at 19:48







24




24





"Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

– AndrolGenhald
May 9 at 14:48





"Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect.

– AndrolGenhald
May 9 at 14:48




4




4





This is based on personal conception, but it's not backed up by the facts.

– Esa Jokinen
May 9 at 19:50






This is based on personal conception, but it's not backed up by the facts.

– Esa Jokinen
May 9 at 19:50





9




9





This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

– Kevin
May 10 at 3:09





This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is.

– Kevin
May 10 at 3:09













This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

– securityOrange
May 11 at 19:48





This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make!

– securityOrange
May 11 at 19:48

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209812%2fhow-are-one-time-password-generators-like-google-authenticator-different-from-ha%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

Image
centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
Read more

Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

Image
AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
Read more

What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

Image
When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
Read more