[CyberRage]

There is one incorrect statemement that really bothered me

TOTP and passwords are not the 'similar' because TOTP is a secret generated from the 'key' and is only valid for a short time period

this make usage of that secret vastly more challenging for attackers, especially at scale.

I've seen real attacks where passwords are stolen, it is impossible to keep track of that. However for TOTP since the attacker has to login NOW, you can very easily detect anomalies of a new IP addr with many successful logins for different accounts

Or to put it differently, when you capture a password it is always valid credential but for TOTP, it requires more advanced infrastructure(automatic logins, save tokens)

and even then the token will eventually expire, with password you can generate infinite tokens

[radicality]

My understanding of the post was the the author means that from the point of view of “authenticate this user”, the TOTP _key/seed_ is quite similar to a password, which I would agree with. Especially if you’re storing both in your password manager like the OP.

[kortex]

> the TOTP _key/seed_ is quite similar to a password

It's not though. The whole point is the secret moves once, from server to client (ignoring user exports and whatnot). Pass(word|key)s are basic authentication, and so have to be transmitted with every request. That's a huge difference in surface area. Also they are guaranteed to be high entropy, unlike user-picked passwords with no filter.

[CyberRage]

It is not because:

1. TOTP is time based, after 30 seconds it means absolutely nothing, you cannot recreate the 'secret key' from that number

2. with TOTP everything is well-known. TOTP will usually generate a 6 digit 'secret', this makes managing it very predictable:

6 digits = 1,000,000 options(including all zeros) we can easily calculate a good security margin

like: 5 attempt - 5/1,000,000 = 0.000005% chance of success Very predictable security margin

for passwords it's a huge unknown, it entirely depends on the user password quality

[krupan]

While you are technically correct, you are missing the whole point of the blog post

[CyberRage]

Seems like a rant to me.

Passwords are used because they are convenient and intuitive.

Once you use a 'password manager' you basically have a glorified key generator/storer

We already have so many alternatives from GPG keys to FIDO/FIDO2 solutions

Security isn't always the first priority when running a website/app, it is the sad but honest truth(coming from security expert with over a decade of experience)