|
|
|
|
|
|
by patrakov
1144 days ago
|
|
|
I think yes. While PCI DSS 4.0 says nothing specific about TOTP, it on page 171 also has this phrase about certificates: "A digital certificate is a valid option for “something you have” if it is unique for a particular user". So it is not an unreasonable analogy to claim that the TOTP seed stored in a desktop application is also "something that you have", as not having it prevents you e.g. from logging in from your friend's laptop. |
|
|
Oh, ok. This is very convincing. Thanks for sharing.