New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Help me understand TOTP
I would like to use TOTP and learnt about it, it's much better than SMS as it seems but my question is with backup/restore and possibility of losing account access in case my phone gets lost having TOTP app installed.
Can I recover accounts if I save QR code? What are the things I need to consider while using the TOTP app (MS authenticator, Authy, Google Auth etc.).
What app do you suggest for it?
Best TOTP app?
- Authy24 votes
- Google Authenticator25.00%
- Microsoft Authenticator  8.33%
- Others66.67%
Comments
Yes, you can, for examples, I don't use those app, I use KeePassXC, which has build in TOTP, you can just enter secret key and it will generate totp code for you. the algorithm for TOTP is very simple.
Where/how exactly do you want to use TOTP?
If it's just for authentication (e.g. Google), they usually have a backup authentication method, like SMS.
Authy also backups your TTOP tokens (if you want). If not I would suggest to backup them manually. (And whenever possible make sure to generate a "printable" list of codes you can use in case of an emergency and store them for example in a keepass database)
I'd suggest a dedicated security key with TOTP capabilities. The YubiKey 5 can do this, via their desktop application, and you can optionally require a physical touch on the security key to generate a code. Not sure which other keys support it.
Don't use that, it's defeating the point of 2FA. The whole point is that the 2FA key material should exist in a different environment from your actual passwords, so that an attacker needs to compromise 2 systems instead of 1, to get at your account.
If you're storing the TOTP keys in the same database as your passwords, an attacker can just compromise that one single database and get into your accounts... it basically adds no security over a single randomly-generated password.
Thanks everyone for your input, I ended up using andOTP app. It also has backup option by exporting data in password protected .AES file. Much better than SMS and works even if I don't have internet on my phone.