Implementing TOTP for 2FA
First of all, note that "Security" is not an option in the Category dropdown for composing messages on this forum.
Now to the topic of 2FA. Cursory browsing in security forums will reveal that both SMS and Passkeys are quite problematic. SMS is subject to SIM hacking, and Passkeys... well just do a Google search for "the problem with passkeys" for some interesting reading.
Currently the most secure and portable 2FA method is TOTP, so it's rather surprising that WA isn't implementing it. I hope WA implements TOTP in the very near future.
Jim Garrison
shared this idea
-
Jim Garrison
commented
Thanks @WNCFHG, as you noted, TOTP is "Time-based One Time Password". In this protocol, there is a shared secret, generated by the website, but each time it is requested it is combined with the current time of day (rounded to 30 seconds) and hashed. The resulting random code is the only thing transmitted, so the secret never goes over the wire except when it is set up initally. This is also known as "Authenticator based" because an app on your device (or password manager), the Authenticator, generates the code on request.
2FA stands for "2-Factor Authentication", where two forms of identification, password and one-time-code, are required.
I assume everyone knows what SMS is (text message) and SIM (Subscriber Identity Module) which is what links your phone number and account to your mobile phone.
-
WNCFHG
commented
It might help the cause to explain that TOTP means Time-based One Time Password, and to spell out other acronyms.
