Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Help me understand TOTP
New on LowEndTalk? Please Register and read our Community Rules.

Help me understand TOTP

TheKillerTheKiller Member
edited February 2020 in General

I would like to use TOTP and learnt about it, it's much better than SMS as it seems but my question is with backup/restore and possibility of losing account access in case my phone gets lost having TOTP app installed.

Can I recover accounts if I save QR code? What are the things I need to consider while using the TOTP app (MS authenticator, Authy, Google Auth etc.).

What app do you suggest for it?

Best TOTP app?
  1. Authy24 votes
    1. Google Authenticator
      25.00%
    2. Microsoft Authenticator
        8.33%
    3. Others
      66.67%

Comments

  • TheKiller said: Can I recover accounts if I save QR code?

    Yes, you can, for examples, I don't use those app, I use KeePassXC, which has build in TOTP, you can just enter secret key and it will generate totp code for you. the algorithm for TOTP is very simple.

    Thanked by 1TheKiller
  • Where/how exactly do you want to use TOTP?

    If it's just for authentication (e.g. Google), they usually have a backup authentication method, like SMS.

    Thanked by 1TheKiller
  • Authy also backups your TTOP tokens (if you want). If not I would suggest to backup them manually. (And whenever possible make sure to generate a "printable" list of codes you can use in case of an emergency and store them for example in a keepass database)

    Thanked by 1TheKiller
  • joepie91joepie91 Member, Provider
    edited February 2020

    I'd suggest a dedicated security key with TOTP capabilities. The YubiKey 5 can do this, via their desktop application, and you can optionally require a physical touch on the security key to generate a code. Not sure which other keys support it.

    webdev said: Yes, you can, for examples, I don't use those app, I use KeePassXC, which has build in TOTP, you can just enter secret key and it will generate totp code for you. the algorithm for TOTP is very simple.

    Don't use that, it's defeating the point of 2FA. The whole point is that the 2FA key material should exist in a different environment from your actual passwords, so that an attacker needs to compromise 2 systems instead of 1, to get at your account.

    If you're storing the TOTP keys in the same database as your passwords, an attacker can just compromise that one single database and get into your accounts... it basically adds no security over a single randomly-generated password.

    Thanked by 1TheKiller
  • Thanks everyone for your input, I ended up using andOTP app. It also has backup option by exporting data in password protected .AES file. Much better than SMS and works even if I don't have internet on my phone.

Sign In or Register to comment.