Authentication: TOTP

Let’s make one thing perfectly clear… TOTP ≠ OTP OTP = One-Time Password TOTP = Time-based One-Time Password As discussed in the Two-Step Verification post, OTP sends the one-time password to the user’s mobile phone via SMS or to the user’s email address. TOTP, on the other hand, uses a local app on the mobile device to generate a pass-code. If we look at the factors for an app using a password and TOTP code, we see that it is something you know and something you have. When a user registers a mobile device, they receive a key (either as … Continue reading Authentication: TOTP

Authentication: Two-Step Verification

So far, I’ve realized the following I have way too many identities Password complexity rules are implemented incorrectly Multi-factor authentication will provide additional authentication security So let’s look at one of the most basic forms of MFA. Unfortunately, I’ve seen this take on many names: Two-Step Verification Two-Step Authentication One-Time Password After providing your username and password for certain Web/SaaS-based apps, you are given a screen like the following: Once you enter this verification code, you are successfully authentication.  From the user perspective, this is a pretty easy way to implement MFA.  However, this is NOT multi-factor authentication. With 2-step verification, … Continue reading Authentication: Two-Step Verification