blog! “How random are TOTP codes?”
I'm pretty sure that the 2FA codes generated by my bank's TOTP app have a bias towards the number 8 - because eight is an auspicious number. But is that just my stupid meaty brain noticing patterns where none exist? The TOTP algorithm uses HMAC, which in turn uses SHA-1. My aforementioned brain is not […]
⸻
#algorithms #CyberSecurity #totp
@Edent Are you sure it is actually TOTP, and not CAP? (Eg. I'm with Barclays and it is definitely CAP.)
@steve Yes. I'm using my TOTP app.
@Edent Aye- runs in a random pool is somthing that one needs to learn to expect. There are, of course, other methods for defeating that sort of statistical analysis. One simple example being the so-called "lucky log” die.