Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Mar 2019 19:03:21 +0300
From: Anton Dedov <>
Subject: UX/security of TOTP configuration process

Hello folks!

A question on implementing TOTP 2FA in an application.

Is it ok to ask users to backup TOTP secret in a secure place during 2fa
configuration process? Or it's better to provide one-time recovery codes?

The argument against TOTP secret backup can be an assumption that if the
secret leak it can be maliciously used without victim user ever noticing it.

Anton Dedov

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.