

Beware when using TOTP (Google Authenticator) - webhat
http://www.warmenhoven.co/2014/05/12/beware-using-totp-google-authenticator/

======
akerl_
The title is quite linkbaity. I mostly agree with the main premise, which is
"If you're passing your first factor via the same device that has your 2nd
factor's secret key, you only have 1 factor", but that doesn't mean we should
"beware" TOTP.

~~~
adrianusw
Hi, I am the author...

I do not see anywhere saying to beware _of_ TOTP, but _when_ using TOTP. And
that is only in the title ;)

~~~
akerl_
As an end user, bewaring an idea and bewaring using the idea are pretty much
the same. And putting it in the title is why I called the title linkbait.

~~~
adrianusw
Hmm, I do not agree, but that may be just me being rigorous in wording as a
habit.

End users being a moving target, I may have been out of touch with them for
some time; my target audience is rather people in security for which I try to
write up some ways to stock up on some verbal ammo for those fantastic
corporate meetings.

But it is not intended as such (linkbait) and since it is my blog I can gripe
in any way I see fit :)

~~~
webhat
The title might more aptly by "Beware when using third-party TOTP
implementations (Google Authenticator)"

