Please correct me if I'm wrong anywhere, but from what I understand , popular mobile phone based two factor authenticators like Google Authenticator implements TOTP which uses a shared secret key that is shared between the phone and the authenticating server.
Why did they decide to use a single shared secret key when they could have used a public/private key pair? The phone would store the private key and can sign an increment counter/timestamp and the authenticating server could verify the signature with the public key. It seems more secure since a breach in the authenticating server wouldn't be able to compromise the user's secret key? Is there any advantages that a shared secret key provides?
Aucun commentaire:
Enregistrer un commentaire