Hacker News new | past | comments | ask | show | jobs | submit login

The setup string which generates the time codes is basically a second password. If something can read that setup string, they can generate their own TOTP codes for your account whenever they want.



Oh you're discussing storing the seed, not the TOTPs themselves.


So you're not actually talking about the TOTP codes that are generated?


I've done a piss poor job of describing it, but the way TOTP works is there is a "setup code" or a setup "string". Often in a QR code format.

That string is all that is needed to generate all of the TOTP codes forever. So while the TOTP code that you type is different every minute, it's generated by doing some math on the setup string and the current time.

Some password managers (like 1Password) allow you to have them generate your TOTP codes by putting in your setup string into them (often using the exact same process you would do to setup your TOTP codes in an app). But i'm saying that's not a good idea if you are going for "most secure", because at that point if something were to somehow exploit your password manager, they will not only get your username and password, but will have that setup string as well so they can generate their own TOTP codes for you.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: