Comment by inferiorhuman
5 days ago
I have to pull a number from Google Authenticator to log into my FB account so I can only assume they're not simply generating random numbers.
5 days ago
I have to pull a number from Google Authenticator to log into my FB account so I can only assume they're not simply generating random numbers.
Two different flows, an online and an offline.
TOTP devices can be powered offline, which makes it extra secure, as you don't transfer any data around, possibility of leaking it is extremely low.
Random numbers could only work in online flow, where server sends you a one-time code using a secure communication method, such as a trusted phone number or email address.
But they’re not sending you this number via email.
Correct. Before they killed mbasic the prompt said they would text me a code, but in reality they were prompting for a TOTP code.