Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

TOTP isn't any more real than SMS. Social engineering easily defeats both. Use FIDO2 or U2F.

[Cue usual HN discussion about loss or unavailability of physical tokens]



This is not true, SMS can be MITMd easily with sim jacking and TOTP is running fully offline.


TOTP is the one that is more trivially MITMed. SMS is also vulnerable to the Confused Deputy problem.


False. Every MITM technique for TOTP works for SMS. Not the other way round.


A TOTP-based phishing attack can start entirely from a false origin. The user can enter the offline-generated secret into that false origin and never realize the phishing even happened.

SMS MITM is harder to pull off, as the normal UX flow assumes the origin knows the user's phone number, which is a weak measure of authenticity on the part of the origin. If a user is taken to a false origin to begin with, then it must somehow either prompt the user for a phone number (which is likely to signal to the user that something is amiss), or else have an actual communication conduit to the true origin so that it can trick it into initiating the SMS challenge.

By the way, we're misusing the term MITM here, but I went with it to keep the conversation going. I believe OP meant phishing.

Edit, since we're in a reply war that HN code is properly stifling: of course we're talking about the TOTP generated secret (what you're calling the six-digit PIN), not the shared secret that's transmitted from the origin once at setup time. SMS and TOTP are both atrociously susceptible to social engineering, and SMS has the additional feature that the engineering can happen without any involvement of the user. Your downvoting suggests there's a significant difference between the two, but phishing studies show that all of us, even those of us who consider ourselves experts, are vulnerable to phishing.


> The user can enter the offline-generated secret into that false origin and never realize the phishing even happened.

That's pretty far-fetched, never heard of a phishing attack that tricked the TOTP secret from users. I bet 99.99% of TOTP users don't even have access to the secret. You can only trick the six digit code out of them, valid for 30 seconds, which you then feed into the actual login form / API.

The SMS code phishing flow is the same. You trick the username and password out of the user, feed it into the actual login form, trigger the SMS challenge, and once again trick the six digit code from the user (which is usually valid for longer than 30 seconds, btw).

Except with SMS there are many ways to intercept.

Re edit: “Your downvoting suggests there's a significant difference between the two, but phishing studies show that all of us, even those of us who consider ourselves experts, are vulnerable to phishing.” With SMS you don’t even need phishing, you can combine leaked credentials (e.g. from other breaches) and SIM jacking to hijack accounts. Plenty of high profile cases posted here before. That’s the scary part: no phishing at all. And you never backed up the “TOTP is the one that is more trivially MITMed” claim.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: