|
|
|
|
|
|
by tialaramex
1720 days ago
|
|
|
> secrets are not static, unlike passwords The TOTP secret is static. The one time codes are just trivially generated from the secret. Now, TOTP is designed to use a cryptographic hash function (I assume SHA-1 is still being used in this case, which is short of ideal but it's not the weakest link here) and so it isn't practical to unwind the hash and get the actual secret but... > you can revoke access to someone's future ability to authenticate without having to change passwords The agent knows the secret and so can generate any such codes at any time, I assume it's hard to convince it to give you codes for tomorrow or next Wednesday but who knows? |
|
|