undefined | Better HN

0 pointsm-p-33y ago0 comments

I only wish they'd support standard TOTP as well, like everyone else.

0 comments

I wish they'd let users decide what they want to use as additional factors. I would like to ban phone calls, emails, SMS, and TOTP entirely from all my accounts, especially those that hold credentials for other services, and use only WebAuthn.

I'd love to use Apple's keychain for credentials for convenience but it can quickly become the weakest link, when it should be the strongest.

PascLeRasc3y ago

What’s wrong with TOTP? Isn’t it exactly as secure as WebAuthN?

cubesnooper3y ago

TOTP is not as secure as WebAuthn, because if you enter the TOTP code into a phishing site, the phisher can now successfully authenticate as you. WebAuthn was specifically designed to be immune to this case: if you were to use your WebAuthn key in a phishing website, the phisher would not then be able to authenticate as you on the real site.

withinboredom3y ago

You have to have the generator somewhere to get the code. If it's in software, you must have access to that software, and it must be secure. With WebAuthN, it can be a hardware token and usually multiple of them stored in various locations that only you can access (safe deposit box, physical safe, etc).

j / k navigate · click thread line to collapse