Why can't I share a one use code with anyone else?Should I change password after servicing a tablet?Google Accessed My MSN Account!How do application specific passwords work in Google accounts?Google Authenticator Error on RebootWordpress.org pages refresh when logging out of GmailGoogle Drive photo security and publicly visible lh*.googleusercontent.comDoes Google Chrome read the contents of screenAndroid update phone number, “To continue, first verify it's you”Best practice to share google drive API credentials for being used by a script?Concerted attack on linked google accounts?
Segmentation fault when popping x86 stack
Were any of the books mentioned in this scene from the movie Hackers real?
Wireless headphones interfere with Wi-Fi signal on laptop
Can a tourist shoot a gun for recreational purpose in the USA?
Would life always name the light from their sun "white"
Re-testing of regression test bug fixes or re-run regression tests?
Could there be a material that inverts the colours seen through it?
Meaning of "work with shame"
Given 0s on Assignments with suspected and dismissed cheating?
Fixed width with p doesn't work
What information exactly does an instruction cache store?
Source of the Wildfire?
Why was my Canon Speedlite 600EX triggering other flashes?
Acronyms in HDD specification
Why didn't the Avengers use this object earlier?
Should I communicate in my applications that I'm unemployed out of choice rather than because nobody will have me?
Why can't I share a one use code with anyone else?
What is this old US Air Force plane?
Is there an academic word that means "to split hairs over"?
What is this minifig/minidoll (?)
"The van's really booking"
How does this Martian habitat 3D printer built for NASA work?
Do Grothendieck universes matter for an algebraic geometer?
Why doesn't Iron Man's action affect this person in Endgame?
Why can't I share a one use code with anyone else?
Should I change password after servicing a tablet?Google Accessed My MSN Account!How do application specific passwords work in Google accounts?Google Authenticator Error on RebootWordpress.org pages refresh when logging out of GmailGoogle Drive photo security and publicly visible lh*.googleusercontent.comDoes Google Chrome read the contents of screenAndroid update phone number, “To continue, first verify it's you”Best practice to share google drive API credentials for being used by a script?Concerted attack on linked google accounts?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I noticed in some cases when I get a verification code from Google it may say something along the line of:
"You should not share this code with anyone else and no one from Google will ever ask for this code."
OK, this seems like it's for security reasons, but the code is only a one use code so if you give someone it after it was used then it will not work. (May not apply to giving someone the code before use, however even if someone knows your username and password and was able to get an unused code and that person where to login a new code should be generated for the new session. right?)
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
google 2fa
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
add a comment |
I noticed in some cases when I get a verification code from Google it may say something along the line of:
"You should not share this code with anyone else and no one from Google will ever ask for this code."
OK, this seems like it's for security reasons, but the code is only a one use code so if you give someone it after it was used then it will not work. (May not apply to giving someone the code before use, however even if someone knows your username and password and was able to get an unused code and that person where to login a new code should be generated for the new session. right?)
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
google 2fa
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
Why do you think they say "don't look down the barrel of a gun" instead of "don't look down the barrel of a gun unless it's empty"? Or "don't try to stick your fingers into the power outlet" instead of "don't try to stick your fingers into the power outlet unless they're too big to go in or unless you've shut off the power"? etc.
– Mehrdad
52 mins ago
@Mehrdad You do know the saying "Better be safe than sorry", right? They tell you that to make sure you are always careful around anything that could possibly be risky.
– Henry WH Hack v2.1.3
38 mins ago
Time to post an answer to your own question!
– Mehrdad
5 mins ago
add a comment |
I noticed in some cases when I get a verification code from Google it may say something along the line of:
"You should not share this code with anyone else and no one from Google will ever ask for this code."
OK, this seems like it's for security reasons, but the code is only a one use code so if you give someone it after it was used then it will not work. (May not apply to giving someone the code before use, however even if someone knows your username and password and was able to get an unused code and that person where to login a new code should be generated for the new session. right?)
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
google 2fa
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
I noticed in some cases when I get a verification code from Google it may say something along the line of:
"You should not share this code with anyone else and no one from Google will ever ask for this code."
OK, this seems like it's for security reasons, but the code is only a one use code so if you give someone it after it was used then it will not work. (May not apply to giving someone the code before use, however even if someone knows your username and password and was able to get an unused code and that person where to login a new code should be generated for the new session. right?)
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
google 2fa
google 2fa
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
edited 8 hours ago
Henry WH Hack v2.1.3
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
asked 8 hours ago
Henry WH Hack v2.1.3Henry WH Hack v2.1.3
86911525
86911525
Why do you think they say "don't look down the barrel of a gun" instead of "don't look down the barrel of a gun unless it's empty"? Or "don't try to stick your fingers into the power outlet" instead of "don't try to stick your fingers into the power outlet unless they're too big to go in or unless you've shut off the power"? etc.
– Mehrdad
52 mins ago
@Mehrdad You do know the saying "Better be safe than sorry", right? They tell you that to make sure you are always careful around anything that could possibly be risky.
– Henry WH Hack v2.1.3
38 mins ago
Time to post an answer to your own question!
– Mehrdad
5 mins ago
add a comment |
Why do you think they say "don't look down the barrel of a gun" instead of "don't look down the barrel of a gun unless it's empty"? Or "don't try to stick your fingers into the power outlet" instead of "don't try to stick your fingers into the power outlet unless they're too big to go in or unless you've shut off the power"? etc.
– Mehrdad
52 mins ago
@Mehrdad You do know the saying "Better be safe than sorry", right? They tell you that to make sure you are always careful around anything that could possibly be risky.
– Henry WH Hack v2.1.3
38 mins ago
Time to post an answer to your own question!
– Mehrdad
5 mins ago
Why do you think they say "don't look down the barrel of a gun" instead of "don't look down the barrel of a gun unless it's empty"? Or "don't try to stick your fingers into the power outlet" instead of "don't try to stick your fingers into the power outlet unless they're too big to go in or unless you've shut off the power"? etc.
– Mehrdad
52 mins ago
Why do you think they say "don't look down the barrel of a gun" instead of "don't look down the barrel of a gun unless it's empty"? Or "don't try to stick your fingers into the power outlet" instead of "don't try to stick your fingers into the power outlet unless they're too big to go in or unless you've shut off the power"? etc.
– Mehrdad
52 mins ago
@Mehrdad You do know the saying "Better be safe than sorry", right? They tell you that to make sure you are always careful around anything that could possibly be risky.
– Henry WH Hack v2.1.3
38 mins ago
@Mehrdad You do know the saying "Better be safe than sorry", right? They tell you that to make sure you are always careful around anything that could possibly be risky.
– Henry WH Hack v2.1.3
38 mins ago
Time to post an answer to your own question!
– Mehrdad
5 mins ago
Time to post an answer to your own question!
– Mehrdad
5 mins ago
add a comment |
3 Answers
3
active
oldest
votes
They're not being precise because they don't have to, and precise language might confuse some users.
They could say, for example, "You should not share unused codes that are less than an hour old with anyone else and no one from Google will ever ask for this code."
You and I would know what they mean. My father in law and grandpa won't know why, though. My father in law is a specific example of a person who would see that there are times when he can share codes, and someone scamming him out of his social security check will get access to his email as well. (Yes, most of his inbox is about mind control chemicals added to contrails and how solar flares cause earthquakes, but it might also give someone access to his bank account.)
Since a used or expired token is useless to everyone, there's no point in keeping it, sharing it, protecting it, deleting it, or adding exceptions to general security advice.
I can tell from personal experience that there are users who will do stupid things when you let them know that there are edge cases and nuances to security. Knowing that, if I were to write such a warning to my users, I'd make my statement as broad and general as possible.
answered 8 hours ago
GhedipunkGhedipunk
1,175515
add a comment |
It's to prevent social engineering attacks against you. Imagine, for example you logged into your two-factor gmail account on a shady public computer where a keylogger recorded your email address and password (but weren't able to use it while you were logged in), but you have two factor authentication enabled and remembered to sign out at the end of your session. Your account is still safe (though again, it's best not to sign in to your systems using sketchy public computers; because even with two-factor auth someone sophisticated could still potentially do malicious things on your account in the window while you were signed in).
Attackers now have your email address and password. To access your account (say to use your email address to reset passwords for other systems, like order stuff online, access bank accounts, send out spam, or other havoc), they need to get past the two factor authentication system. So they contact you, pretend to be Google, and try and trick you to answer to them with the actual authentication code, so they can fully login to your account. Maybe they call you on the phone (spoofed number that looks like something associated with Google Inc) and say "we see you have 2-factor auth setup, before we can proceed I need you to tell us the code just texted to you", etc.
Expired or already used tokens don't matter, but they just want to get you in the habit of not giving away this information to third parties.
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
add a comment |
May not apply to giving someone the code before use, however even if
someone knows your username and password and was able to get an unused
code and that person where to login a new code should be generated for
the new session. right?
Wrong. I assume you're talking about a TOTP code generated for example by the Google Authenticator app. TOTP works by storing a shared secret on the client and server (your phone and Google's servers). To authenticate, both the client and server use the secret as an HMAC key to hash the current time, then truncate it to an n digit value (often 6 digits, sometimes longer).
TOTP is not tied to a session in any way, it is entirely based on a shared secret and the current time.
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
I imagine they're trying to prevent people falling for scams where someone asks you to send the current code to them. After the code is used, or after enough time has passed to make it no longer valid, the code is useless.
Multiple old codes may contain enough information to allow for brute-forcing of the shared secret, but that's a preimage attack on SHA-1, which is still quite infeasible (ie the codes will allow them to tell if any particular guess for the shared secret is correct, but they could spend several lifetimes guessing and never find it).
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210114%2fwhy-cant-i-share-a-one-use-code-with-anyone-else%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
They're not being precise because they don't have to, and precise language might confuse some users.
They could say, for example, "You should not share unused codes that are less than an hour old with anyone else and no one from Google will ever ask for this code."
You and I would know what they mean. My father in law and grandpa won't know why, though. My father in law is a specific example of a person who would see that there are times when he can share codes, and someone scamming him out of his social security check will get access to his email as well. (Yes, most of his inbox is about mind control chemicals added to contrails and how solar flares cause earthquakes, but it might also give someone access to his bank account.)
Since a used or expired token is useless to everyone, there's no point in keeping it, sharing it, protecting it, deleting it, or adding exceptions to general security advice.
I can tell from personal experience that there are users who will do stupid things when you let them know that there are edge cases and nuances to security. Knowing that, if I were to write such a warning to my users, I'd make my statement as broad and general as possible.
answered 8 hours ago
GhedipunkGhedipunk
1,175515
add a comment |
They're not being precise because they don't have to, and precise language might confuse some users.
They could say, for example, "You should not share unused codes that are less than an hour old with anyone else and no one from Google will ever ask for this code."
You and I would know what they mean. My father in law and grandpa won't know why, though. My father in law is a specific example of a person who would see that there are times when he can share codes, and someone scamming him out of his social security check will get access to his email as well. (Yes, most of his inbox is about mind control chemicals added to contrails and how solar flares cause earthquakes, but it might also give someone access to his bank account.)
Since a used or expired token is useless to everyone, there's no point in keeping it, sharing it, protecting it, deleting it, or adding exceptions to general security advice.
I can tell from personal experience that there are users who will do stupid things when you let them know that there are edge cases and nuances to security. Knowing that, if I were to write such a warning to my users, I'd make my statement as broad and general as possible.
answered 8 hours ago
GhedipunkGhedipunk
1,175515
add a comment |
They're not being precise because they don't have to, and precise language might confuse some users.
They could say, for example, "You should not share unused codes that are less than an hour old with anyone else and no one from Google will ever ask for this code."
You and I would know what they mean. My father in law and grandpa won't know why, though. My father in law is a specific example of a person who would see that there are times when he can share codes, and someone scamming him out of his social security check will get access to his email as well. (Yes, most of his inbox is about mind control chemicals added to contrails and how solar flares cause earthquakes, but it might also give someone access to his bank account.)
Since a used or expired token is useless to everyone, there's no point in keeping it, sharing it, protecting it, deleting it, or adding exceptions to general security advice.
I can tell from personal experience that there are users who will do stupid things when you let them know that there are edge cases and nuances to security. Knowing that, if I were to write such a warning to my users, I'd make my statement as broad and general as possible.
answered 8 hours ago
GhedipunkGhedipunk
1,175515
They're not being precise because they don't have to, and precise language might confuse some users.
They could say, for example, "You should not share unused codes that are less than an hour old with anyone else and no one from Google will ever ask for this code."
You and I would know what they mean. My father in law and grandpa won't know why, though. My father in law is a specific example of a person who would see that there are times when he can share codes, and someone scamming him out of his social security check will get access to his email as well. (Yes, most of his inbox is about mind control chemicals added to contrails and how solar flares cause earthquakes, but it might also give someone access to his bank account.)
Since a used or expired token is useless to everyone, there's no point in keeping it, sharing it, protecting it, deleting it, or adding exceptions to general security advice.
I can tell from personal experience that there are users who will do stupid things when you let them know that there are edge cases and nuances to security. Knowing that, if I were to write such a warning to my users, I'd make my statement as broad and general as possible.
answered 8 hours ago
GhedipunkGhedipunk
1,175515
answered 8 hours ago
GhedipunkGhedipunk
1,175515
answered 8 hours ago
GhedipunkGhedipunk
1,175515
answered 8 hours ago
GhedipunkGhedipunk
1,175515
1,175515
add a comment |
add a comment |
It's to prevent social engineering attacks against you. Imagine, for example you logged into your two-factor gmail account on a shady public computer where a keylogger recorded your email address and password (but weren't able to use it while you were logged in), but you have two factor authentication enabled and remembered to sign out at the end of your session. Your account is still safe (though again, it's best not to sign in to your systems using sketchy public computers; because even with two-factor auth someone sophisticated could still potentially do malicious things on your account in the window while you were signed in).
Attackers now have your email address and password. To access your account (say to use your email address to reset passwords for other systems, like order stuff online, access bank accounts, send out spam, or other havoc), they need to get past the two factor authentication system. So they contact you, pretend to be Google, and try and trick you to answer to them with the actual authentication code, so they can fully login to your account. Maybe they call you on the phone (spoofed number that looks like something associated with Google Inc) and say "we see you have 2-factor auth setup, before we can proceed I need you to tell us the code just texted to you", etc.
Expired or already used tokens don't matter, but they just want to get you in the habit of not giving away this information to third parties.
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
add a comment |
It's to prevent social engineering attacks against you. Imagine, for example you logged into your two-factor gmail account on a shady public computer where a keylogger recorded your email address and password (but weren't able to use it while you were logged in), but you have two factor authentication enabled and remembered to sign out at the end of your session. Your account is still safe (though again, it's best not to sign in to your systems using sketchy public computers; because even with two-factor auth someone sophisticated could still potentially do malicious things on your account in the window while you were signed in).
Attackers now have your email address and password. To access your account (say to use your email address to reset passwords for other systems, like order stuff online, access bank accounts, send out spam, or other havoc), they need to get past the two factor authentication system. So they contact you, pretend to be Google, and try and trick you to answer to them with the actual authentication code, so they can fully login to your account. Maybe they call you on the phone (spoofed number that looks like something associated with Google Inc) and say "we see you have 2-factor auth setup, before we can proceed I need you to tell us the code just texted to you", etc.
Expired or already used tokens don't matter, but they just want to get you in the habit of not giving away this information to third parties.
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
add a comment |
It's to prevent social engineering attacks against you. Imagine, for example you logged into your two-factor gmail account on a shady public computer where a keylogger recorded your email address and password (but weren't able to use it while you were logged in), but you have two factor authentication enabled and remembered to sign out at the end of your session. Your account is still safe (though again, it's best not to sign in to your systems using sketchy public computers; because even with two-factor auth someone sophisticated could still potentially do malicious things on your account in the window while you were signed in).
Attackers now have your email address and password. To access your account (say to use your email address to reset passwords for other systems, like order stuff online, access bank accounts, send out spam, or other havoc), they need to get past the two factor authentication system. So they contact you, pretend to be Google, and try and trick you to answer to them with the actual authentication code, so they can fully login to your account. Maybe they call you on the phone (spoofed number that looks like something associated with Google Inc) and say "we see you have 2-factor auth setup, before we can proceed I need you to tell us the code just texted to you", etc.
Expired or already used tokens don't matter, but they just want to get you in the habit of not giving away this information to third parties.
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
It's to prevent social engineering attacks against you. Imagine, for example you logged into your two-factor gmail account on a shady public computer where a keylogger recorded your email address and password (but weren't able to use it while you were logged in), but you have two factor authentication enabled and remembered to sign out at the end of your session. Your account is still safe (though again, it's best not to sign in to your systems using sketchy public computers; because even with two-factor auth someone sophisticated could still potentially do malicious things on your account in the window while you were signed in).
Attackers now have your email address and password. To access your account (say to use your email address to reset passwords for other systems, like order stuff online, access bank accounts, send out spam, or other havoc), they need to get past the two factor authentication system. So they contact you, pretend to be Google, and try and trick you to answer to them with the actual authentication code, so they can fully login to your account. Maybe they call you on the phone (spoofed number that looks like something associated with Google Inc) and say "we see you have 2-factor auth setup, before we can proceed I need you to tell us the code just texted to you", etc.
Expired or already used tokens don't matter, but they just want to get you in the habit of not giving away this information to third parties.
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
answered 7 hours ago
dr jimbobdr jimbob
34.7k777146
34.7k777146
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
add a comment |
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
Alternatively, someone with the target's username, land line, and mobile numbers could phone the land line, pretending to be auditing the accuracy of their phone number information, use the "lost password" function on the account, and ask the target for the code their mobile should be receiving. Under such circumstances, many victims might not bother to read the message containing the code to see why it was sent.
– supercat
2 hours ago
add a comment |
May not apply to giving someone the code before use, however even if
someone knows your username and password and was able to get an unused
code and that person where to login a new code should be generated for
the new session. right?
Wrong. I assume you're talking about a TOTP code generated for example by the Google Authenticator app. TOTP works by storing a shared secret on the client and server (your phone and Google's servers). To authenticate, both the client and server use the secret as an HMAC key to hash the current time, then truncate it to an n digit value (often 6 digits, sometimes longer).
TOTP is not tied to a session in any way, it is entirely based on a shared secret and the current time.
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
I imagine they're trying to prevent people falling for scams where someone asks you to send the current code to them. After the code is used, or after enough time has passed to make it no longer valid, the code is useless.
Multiple old codes may contain enough information to allow for brute-forcing of the shared secret, but that's a preimage attack on SHA-1, which is still quite infeasible (ie the codes will allow them to tell if any particular guess for the shared secret is correct, but they could spend several lifetimes guessing and never find it).
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
add a comment |
May not apply to giving someone the code before use, however even if
someone knows your username and password and was able to get an unused
code and that person where to login a new code should be generated for
the new session. right?
Wrong. I assume you're talking about a TOTP code generated for example by the Google Authenticator app. TOTP works by storing a shared secret on the client and server (your phone and Google's servers). To authenticate, both the client and server use the secret as an HMAC key to hash the current time, then truncate it to an n digit value (often 6 digits, sometimes longer).
TOTP is not tied to a session in any way, it is entirely based on a shared secret and the current time.
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
I imagine they're trying to prevent people falling for scams where someone asks you to send the current code to them. After the code is used, or after enough time has passed to make it no longer valid, the code is useless.
Multiple old codes may contain enough information to allow for brute-forcing of the shared secret, but that's a preimage attack on SHA-1, which is still quite infeasible (ie the codes will allow them to tell if any particular guess for the shared secret is correct, but they could spend several lifetimes guessing and never find it).
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
add a comment |
May not apply to giving someone the code before use, however even if
someone knows your username and password and was able to get an unused
code and that person where to login a new code should be generated for
the new session. right?
Wrong. I assume you're talking about a TOTP code generated for example by the Google Authenticator app. TOTP works by storing a shared secret on the client and server (your phone and Google's servers). To authenticate, both the client and server use the secret as an HMAC key to hash the current time, then truncate it to an n digit value (often 6 digits, sometimes longer).
TOTP is not tied to a session in any way, it is entirely based on a shared secret and the current time.
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
I imagine they're trying to prevent people falling for scams where someone asks you to send the current code to them. After the code is used, or after enough time has passed to make it no longer valid, the code is useless.
Multiple old codes may contain enough information to allow for brute-forcing of the shared secret, but that's a preimage attack on SHA-1, which is still quite infeasible (ie the codes will allow them to tell if any particular guess for the shared secret is correct, but they could spend several lifetimes guessing and never find it).
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
May not apply to giving someone the code before use, however even if
someone knows your username and password and was able to get an unused
code and that person where to login a new code should be generated for
the new session. right?
Wrong. I assume you're talking about a TOTP code generated for example by the Google Authenticator app. TOTP works by storing a shared secret on the client and server (your phone and Google's servers). To authenticate, both the client and server use the secret as an HMAC key to hash the current time, then truncate it to an n digit value (often 6 digits, sometimes longer).
TOTP is not tied to a session in any way, it is entirely based on a shared secret and the current time.
Am I missing something, is there any reason not to share the one time code, especially the part about some random stranger calling and asking for it? Also it should of long self expired before someone had the chance to call you and ask for it in the future.
I imagine they're trying to prevent people falling for scams where someone asks you to send the current code to them. After the code is used, or after enough time has passed to make it no longer valid, the code is useless.
Multiple old codes may contain enough information to allow for brute-forcing of the shared secret, but that's a preimage attack on SHA-1, which is still quite infeasible (ie the codes will allow them to tell if any particular guess for the shared secret is correct, but they could spend several lifetimes guessing and never find it).
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
answered 8 hours ago
AndrolGenhaldAndrolGenhald
12.7k53138
12.7k53138
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210114%2fwhy-cant-i-share-a-one-use-code-with-anyone-else%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Why do you think they say "don't look down the barrel of a gun" instead of "don't look down the barrel of a gun unless it's empty"? Or "don't try to stick your fingers into the power outlet" instead of "don't try to stick your fingers into the power outlet unless they're too big to go in or unless you've shut off the power"? etc.
– Mehrdad
52 mins ago
@Mehrdad You do know the saying "Better be safe than sorry", right? They tell you that to make sure you are always careful around anything that could possibly be risky.
– Henry WH Hack v2.1.3
38 mins ago
Time to post an answer to your own question!
– Mehrdad
5 mins ago