undefined | Better HN

0 pointsSpivak2y ago0 comments

TOTP is just PAKE with a funny way of writing the password.

We tricked people into using actually secure passwords and password managers by calling it 2FA and devising a scheme where the human does the challenge and the server necessarily must keep that part of the password in plaintext, but in exchange the user doesn't have to type out the long part of the password every time.

0 comments

lxgr2y ago

No, TOTP is a weaker version challenge-response authentication (with the challenge being time-based and not provided by the verifying/challenging party).

PAKEs do significantly more; in particular, they are MITM resistant (unlike TOTPs) and provide mutual authentication.

j / k navigate · click thread line to collapse

0 pointsSpivak2y ago0 comments

TOTP is just PAKE with a funny way of writing the password.

0 comments

lxgr2y ago

No, TOTP is a weaker version challenge-response authentication (with the challenge being time-based and not provided by the verifying/challenging party).

PAKEs do significantly more; in particular, they are MITM resistant (unlike TOTPs) and provide mutual authentication.

j / k navigate · click thread line to collapse