Questions tagged [one-time-password]
One-time password (OTP) protocols and implementations (software and hardware)
269 questions
9
votes
3
answers
3k
views
Overlap for One-Time Passwords
I've got multiple OTP managers on my telephone. All of them seem to work with a constant timeout on the one-time passwords that are generated. For instance, the Microsoft authenticator works using a 6-...
- 5,055
1
vote
1
answer
200
views
Passwordless authentication with email OTP
I want to implement a passwordless authentication flow with a code sent by email but I can't find a clear best practice on how to securely implement it on the server side.
On the client side, the flow ...
- 11
4
votes
0
answers
177
views
What are the drawbacks of a 4-digits OTP email verification & authentication system?
I'm trying to implement an email verification system (and also authentication system).
I've decided against magic links as, even though they can be more secure, the user has a 50% change to begin the ...
- 183
1
vote
1
answer
1k
views
How could Telegram OTP password be compromised / hacked?
How could Telegram OTP password be hacked?
My timeline of Telegram hack attempt today:
хх:хх Login attempt?
00:47 OTP code in Telegram
00:47 OTP code in SMS to associated mobile
00:48 incomplete login,...
2
votes
0
answers
135
views
Usage of OTPs in combination with long-lived auto login URLs
My requirement is to implement auto-login URLs for one-click authentication. We will generate an URL with a login token (e.g. https://my-company.com/autologin?token=${autoLoginToken}), which will act ...
- 377
1
vote
0
answers
127
views
How to brute force security code or One Time Password
As part of my project, I am trying to brute force a security code for an app using "Forgot my password" option. I understand that I can brute force username and password using Hydra. However,...
1
vote
0
answers
143
views
OTP first time connection to wifi hotspot after normal password
Working at an educational institution and the learners are not allowed on the wifi and are getting the wifi password off the educators' laptops or sharing it from the educators' phone (I suspect one ...
- 11
3
votes
1
answer
223
views
How to securely change email address in a Mobile App with Email OTP Based Login
I'm working on a mobile app where users can only log in using their email address and receive an OTP to verify their identity. I'm trying to figure out the best approach for allowing users to change ...
- 133
0
votes
1
answer
160
views
Is there an attack vector for SMS verification code using a bunch of parallel requests
I'm trying to elaborate a login scenario with SMS verification code. Not sure whether it's an attack vector or not.
Assume, we have a N = 3 digit code sent to a user mobile phone (3-digit code just ...
- 3
1
vote
2
answers
1k
views
Whats the safest way to store 2fa/mfa secret key in database?
I try to implement a secure user login in my .net application. The first password is hashed with argon2id. The salt and the hashed password is stored in a database. SSL encryption and HttpOnly Cookie ...
- 369
0
votes
0
answers
106
views
Should OTP be resent during the sign-up process if the user is already verified?
I'm building an authentication backend API that includes a resend OTP endpoint. The question is whether the API should check if the user is already verified before sending a new OTP. Specifically, if ...
1
vote
2
answers
289
views
Why do OTP services always say "Never share this password"?
Whenever I receive an OTP, the service always says "Never share this password." Why do they include this message?
Is it generic security advice to prevent people from being tricked into ...
- 205
11
votes
3
answers
3k
views
What security risks do you see with wrong OTPs appearing in application logs?
An application is logging wrong OTPs (but not correct OTPs). I asked the application developers to not log wrong OTPs because I do not see any benefits. However, they do not want to modify the ...
- 111
0
votes
0
answers
138
views
How to avoid non-in-person "handshakes" and spoofing due to compromised URL data on NFC card
I am designing a system that allows users to purchase my NFC cards and sign up for an account on my online SaaS website.
The System
For the sake of explanation, assume the website is hosted at domain ...
0
votes
2
answers
174
views
Alternatives for password where at least one secret is not know by the server, with similar transparency
Some service like Bitwarden use the password to encrypt part of your personal data, so that nobody except you can access it, and they archive this because the server only gets your password's hash ...
- 103