Correct me if I’m wrong but U2F tokens are an antidote to TOTP seeds being leaked, right?
Edit: some reading: https://en.m.wikipedia.org/wiki/Universal_2nd_Factor I have the advantages and disadvantages section a read and I believe I got it right. The one major disadvantage I’ve read about is that there is no backup. At a place I worked, we registered two keys and kept one as a backup. It seemed to work okay.
> The remaining issues, however, are phishing and man-in-the-middle attacks, the most infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.
Later, on FIDO U2F:
> Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.
I thought ‘public’ means it can be shared widely without there being a risk to the private key. What threat model would consider it a risk to have a public key exposed?
Sorry, I was asking about U2F as an alternative to TOTP and not a method of implementing such. If I’m not mistaken that was unclear on my part and you were led to interpret what I said a different way than I intended.
Edit: some reading: https://en.m.wikipedia.org/wiki/Universal_2nd_Factor I have the advantages and disadvantages section a read and I believe I got it right. The one major disadvantage I’ve read about is that there is no backup. At a place I worked, we registered two keys and kept one as a backup. It seemed to work okay.
Also this: https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/
On OTP:
> The remaining issues, however, are phishing and man-in-the-middle attacks, the most infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.
Later, on FIDO U2F:
> Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.