Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is not specifically a Linux-related question, but I didn't know where to ask.
Since Twitter will soon remove SMS/text messages for 2FA, I installed and configured FreeOTP.
I'm having a hard time understanding how it works:
To add a new site ("token"), I have to use the app's embedded camera to take a picture of the site's QR code: What does it contain?
How does the app get the six-digit number, that's only usable for a short time? From the site through an Internet connection? In that case, does it mean OTP doesn't work if no Internet connection is available?
OTP systems are based on cryptographic algorithms. The idea is that both ends are "seeded" using the same number (probably the number in the QR code), and from then on they can generate the same pseudo-random sequence of numbers.
So no, these systems do not need an Internet connection in order to work.
as it was mentioned, that number is a pseudo-random number, which means it looks like a real random number, but the same number is generated on the two devices (it looks like they are synchronized, but they are not connected to each other). This synchronization is based on a common seed or something similar, which is made only once, at the beginning, when you add a new site.
The generation of the [next] random number is based on a local algorithm, which is built into the hardware key, used by the site (in your case twitter) or your phone without using any external resources, therefore theoretically should work everywhere.
"The two main methods for delivery of the OTP is:
SMS Based […]
Application Based: This method of OTP generation is done on the user side using a specific smartphone application that scans a QR code on the screen. The application is responsible for the unique OTP digits. This reduces wait time for the OTP as well as reduces security risk as compared to the SMS based delivery.
The most common way for the generation of OTP defined by The Initiative For Open Authentication (OATH) is the Time Based One Time Passwords (TOTP), which is a Time Synchronized OTP. In these OTP systems, time is the cardinal factor to generate the unique password. The password generated is created using the current time and it also factors in a secret key.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.