|
|
|
|
|
|
by gkbrk
1507 days ago
|
|
|
There is no sync to provider servers on any TOTP implementation I use. Nor does a TOTP implementation need to be an application on a phone. Are you perhaps referring to the Google Authenticator or the Microsoft Authenticator apps when you refer to TOTP? Manufacturers that sell the "meaningful" 2FA hardware tokens can manufacture and sell duplicate keys, they even provide this as a service when you want backup keys. What makes you think they don't "securely" make a few duplicates themselves? |
|
|
That's hard to dispute, but will you accept https://guide.duo.com/duo-restore as a counterexample?
> Are you perhaps referring to the Google Authenticator or the Microsoft Authenticator apps when you refer to TOTP
No, I'm referring to the actual RFC 6283 TOTP protocol. Which uses a trivially-cloned single private key. Which is, see the example above, in fact trivially cloned 'for convenience' by at least one widely-used 'enterprise' security solution.
> What makes you think they don't "securely" make a few duplicates themselves?
Since that literally makes no sense if you know how hardware tokens work.