top | item 22444547

(no title)

Yes but that's a whole different 2FA implementation, where sites must support U2F (webauthn). Unfortunately, the implementation of TOTP is far more common than U2F.

Ideally all sites will implement U2F as two factor authentication, but there aren't that many users who have a U2F compatible token. The reach of TOTP is far more beyond U2F, which is probably why sites use TOTP more than U2F.

When sites offer both, choose U2F. When sites offer TOTP only, use it. It is better than nothing. When you have a yubikey already, use the Yubico authenticator app to store the TOTP secret to make your TOTP attack surface less and to have the availability to change your phone without losing TOTP secrets.

discuss

EthanHeilman|6 years ago

>When sites offer both, choose U2F. When sites offer TOTP only, use it.

This, 100%

In some sense TOTP, basically HMAC, seems like it would be harder to screw up than a public key system. RSA is amazingly hard to get right. I wonder if the order of preference should be:

1. U2F ECDSA/EdDSA

2. TOTP

3. U2F RSA ... Infinity. SMS 2FA

No idea where ECDAA [0] fits.

[0]: https://paragonie.com/blog/2018/08/security-concerns-surroun...