Hacker News new | ask | show | jobs
by woodruffw 1149 days ago
Yes: to a first approximation, a second factor is something you are (or have), while a first factor is something you know. A second factor doesn't need to be unique, although uniqueness has separate benefits (especially when the unique factor is hard to clone or access physically).

TOTP isn't an ideal second factor, for most of the reasons above (combined with poor adherence to the standard, meaning that only the most basic subset of features tend to work). But is is still a second factor, unless you can do HMACs in your head :-)
2 comments
zokier 1148 days ago
> Yes: to a first approximation, a second factor is something you are (or have), while a first factor is something you know.

But the typical totp-in-password-manager setup is missing the other factor, there is nothing you know in such setup.

link
tremon 1148 days ago
In that case, the thing you know would be the password to the password manager.

But yes, I agree. I keep my TOTP on my phone (I use Aegis) and my password manager on my desktop computer.

link
Xaiph_Rahci 1148 days ago
> But is is still a second factor, unless you can do HMACs in your head

Ok. Thanks for sharing your thoughts.

link