Warning: Some posts on this platform may contain adult material intended for mature audiences only. Viewer discretion is advised. By clicking ‘Continue’, you confirm that you are 18 years or older and consent to viewing explicit content.
The most secure practice for any high-value accounts (email etc) is to use WebAuthn with a hardware key like a Yubikey.
TOTP is still vulnerable to phishing (a fake login page can ask for both a password and a TOTP code) so business/corporate environments are moving away from them.
Yep, and Vaultwarden too!
Though the most secure practice is to store them separately.
Alr
The most secure practice for any high-value accounts (email etc) is to use WebAuthn with a hardware key like a Yubikey.
TOTP is still vulnerable to phishing (a fake login page can ask for both a password and a TOTP code) so business/corporate environments are moving away from them.
Sure, hardware keys are superior!
I’m only talking about best practtices when using TOTPs in particular.