undefined | Better HN

0 pointscommandersaki1y ago0 comments

I don't see why SMS would need to write to a store, public or not. One can implement SMS-2FA using TOTP for example, it's just that the TOTP secret is not shared with the recipient.

0 comments

TonyTrapp1y ago

Yes, it is not a technical necessity to store these messages. But there is the option to do it (and some people are evidently doing it). The point is that for one-time-passwords, it's not even an option, not matter how hard you try. You simply cannot make this class of mistake. Unless you try really really hard to fuck up and, say, for some very weird reason, exfiltrate the one-time passwords generated on the user's device every few seconds.

warkdarrior1y ago

How does the bank verify the OTP generated on the user's device?

j / k navigate · click thread line to collapse

0 pointscommandersaki1y ago0 comments

I don't see why SMS would need to write to a store, public or not. One can implement SMS-2FA using TOTP for example, it's just that the TOTP secret is not shared with the recipient.

0 comments

TonyTrapp1y ago

warkdarrior1y ago

How does the bank verify the OTP generated on the user's device?

j / k navigate · click thread line to collapse