How TOTP (Time-based One-time Password Algorithm) Works for 2 Factor Authentication

I recently had a scare when I ended up dropping my phone into water. The first thing that popped into my head was I can't get into any of my accounts anymore. Luckily I had trusted my laptop for most of my accounts so i was able to log in and disable 2 factor. I love 2 factor authentication but this made me rethink my backup solutions just in case I broke my phone again.

TJoseph

Great video, thank you for making it easy to understand.

bmpatel

How can I understand the otp code generating algorithm of an *http* website? I have my username & PW. But otp gets delayed due to my weak network or might be different reasons, is there any way I can generate or understand otp without waiting for the otp code in my sms.

AnkitKamli

What an excellent video, Tysm! I take things haven't changed much under the hood right?

EnglishRain

Where can I find the bash code? Thanks

adeltabsh

0:18 surely such a hacker would then also have the secret key for TOTP
So TOTP will defend against a user hack but not against a server hack.

An.Individual

But the secret key is encypted somehow or isn't it?

Chem-iujx

One question I've always had on this is whether it would be easy to brute force into an account even without the authenticator if you had someone's username and password. Like, you only have 30 seconds before the code resets but there are also only 1, 000, 000 unique combinations for the typical six-digit 2FA code. Do most sites just cap the number of attempted logins in a short period of time to reduce the risk of someone guessing the code?

Let's say a site limits you to five login attempts per hour and it takes me six months for me to hear about the breach and reset my password. In that situation an attacker would have about a 2.2% chance of accessing my account before I could change my password, assuming they're always trying the maximum amount of codes and no one stops them. Comparing that to the 100% chance they'd have without 2FA, this seems like a clear win for 2FA.

With that said, I don't have much feel for how possible brute force attacks are in the real world. Is it reasonable to expect attackers could only do a handful of attempts an hour? Or could they theoretically just brute force right through with no limits? Obviously 2FA is better than nothing, but given that there are downsides too (e.g. slower login times, higher risk of losing access to your account) I'm trying to gauge the practical utility of 2FA.

notstarboard

I wish Authy and related apps could somehow transfer devices when I get a new iPhone and restore from and encrypted backup. Maybe it’ll be solved someday. Normal users won’t know about this. Heck I barely caught it when I got a new phone.

smccrode

Did you say that "someone could hijack your phone number without getting your phone"? Mind to explain exactly how could this be achieved? I doubt such thing is possible unless you work for the mobile operator or the CIA. I think the authenticator was implemented mainly because companies don't want to pay for the SMS.

andresz

that weird sound issue is there again, its got to be that silver mic you use for this vlog, the other mic you use doesn't make the weird noise, is the diaphragm on its way out, or possibly some distortion creeping in somewhere. you got a different mic to use, I hear ebay is good for (hint) ?

stuartwhittaker

I accidently deleted one of my exchange website 2 factor authentication, I try to login using the backup code but it said expire, now i can not log in to my account, my account has bitcoin's in it, I try to message the site support but not sure if they response..

monkeyking

Paypal is unsafe and awful. Even C- eBay dropped Paypal /Braintree

Gluluman