That's insightful. So you shouldn't only reset your passwords, but your TOTP set... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		leni536 on Feb 24, 2017 \| parent \| context \| favorite \| on: List of Sites Affected by Cloudflare's HTTPS Traff... That's insightful. So you shouldn't only reset your passwords, but your TOTP setup too (if you set it up in this period). I think it's a flaw of TOTP though. The client secret should be client generated and should never leave the device.

almost_usual on Feb 24, 2017 [–]

Yes, unfortunately both the client and server need to have that shared private key to generate the same codes.

Transmitting the key over a 'secondary' channel would have protected people here.

It begs the question of whether or not TOTP is really 2FA if it is setup using a single channel of communication.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact