Comment by csomar
2 years ago
Are you sure you understood the article? The token is supposed to be a secret and the TOTP generation should happen remotely. This is not the case and this suggest a fundamental lack of security practices at the company.
"Should happen remotely" – according to who? What is the security risk for the end-user?
"this suggest a fundamental lack of security practices at the company" – that's a stretch of a conclusion to make. You're being as hyperbolic as the original post.
What didn't I understand about the article? This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities.
> This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities
It offers nothing to the user, except taking away their rights, and making it all unreliable
> the TOTP generation should happen remotely.
It says that it is available offline (if you've viewed it in the last 20 hours), so the TOTP generation can't happen remotely
Well it's more like the "security: they want is fundamentally is incompatible with support for ofline use in this case (as long as we have open computing platforms anyway).
Which would increase the problem he described--too many people trying to get in overloading the local bandwidth.
It's enough to defeat screenshotting and the 20 hour bit would defeat large scale malicious use.
Not good security but probably good enough, especially in stopping the resale of stolen tickets.