[nine_k]

What are the right flags for using TOTP? I thought it's so standard now, it's basically fool-proof, as long as you set the number of digits and the timeout correctly, and the default 6 digits and 60 seconds are just fine.

Where's the catch?

[toomuchtodo]

If you do push auth, require the user enter a number provided. Throttle auth attempts to something reasonable based on your user population. Lockout auth after X number of bad attempts and require escalation. Provide a way to report unapproved auth attempts received (which should get piped to your incident response and identity compromise playbook(s)). This should stop any brute force attack in its tracks.

For TOTP, I prefer 30 second TTLs for the OTP. A tight window makes it very difficult to phish if you must support a user using TOTP. If someone has challenges with this due to the short window, upgrade them to device bound passkeys.