Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How? TOTP does not embed the domain, as it is generated on a separate device which does not communicate with your browser, and does not know the target domain. TOTP is literally HMAC(shared-secret, time-interval) mapped to a short range (e.g. mod 10^6).


My password manager only fills passwords on the domain they belong to, and it’s also my TOTP generator so the same applies there too.


> it is generated on a separate device which does not communicate with your browser, and does not know the target domain.

No, not always and many password manager solutions do integrate with your browser and know the domain for the password.


Then that's not TOTP https://datatracker.ietf.org/doc/html/rfc6238 but something different. Do you know how it is called and which products support it? I'd love to read up about it!


Bitwarden has TOTP support in paid plan. And it works with browser extension which recognises domains.


It certainly recognizes the domain, but thats more of a convenience feature than a security feature. Nothing is stopping you from putting your example.com code into legit-example.com manually. Sure the extension won't do it automatically, but if the user is convinced to put the password into the fake website, user could also put in the TOTP code


Yes, it is TOTP:

https://github.com/tadfisher/pass-otp




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: