Recording a TOTP secret next to your password would make 2FA worthless, true. Th... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Xylakant on Nov 22, 2017 | parent | context | favorite | on: Uber Paid Hackers to Delete Stolen Data on 57M Peo...

Recording a TOTP secret next to your password would make 2FA worthless, true. That’s why you should use hardware generators whenever possible. However, Github supports Fido/u2f which is conceptually superior to TOTP: The authentication secret is bound to the domain and the token generator verifies this. So even a software u2f implementation protects against phishing for example, while TOTP does not.

bringtheaction on Nov 22, 2017 [–]

Do you know of any open source software implementations of u2f.

Xylakant on Nov 22, 2017 | [–]

Firefox includes one IIRC and there’s githubs SoftU2F for Mac https://github.com/github/SoftU2F

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact