Ask HN: Is using just a TOTP based authenticatation safe or a privacy issue
Hello HN,
I am envisioning a webapp with the least amount of friction to enroll a user.
Is using a TOTP based authentication with no password a safe technique or does it have some glaring holes that I am missing.
Example - user enters an email and receives a TOTP based 8 digit code valid for the next 10 minutes. The user enters the code and is able to view the authenticated information.
8 comments
[ 1.5 ms ] story [ 31.1 ms ] threadAlso to consider: What happens if a user loses their phone? How do they get access to their account?
I strive to avoid the stereotypes, but I have been unable to go without that setup since highschool!
You also have to make sure to generate and transmit recovery codes in case they lose their phone.
TOTP is also kind of annoying to use.
The best auth from a security PoV is Webauthn.
It should be offered, though, even if it's not the default.
I don't find it annoying to use at all, so long as my sessions can be sufficiently long-lived. It gets annoying when sessions end in a very short period of time, which I think can be potentially less secure because that creates more opportunities for authentication to be intercepted outside of HTTPS or for an exploit on an Authenticator-like app to be performed.
Just let me generate OTPs and stay logged in.