Secure secret distribution

Hi,

We have multiple options of Multi-Factor Authentication (MFA) which implement state-of-the-art security requirements such as WebAuthn and Security Keys.

We highly recommend using those options for your security needs.

Where can I see details?

Hi,

you can add a security key here, and the documentation about it is here.

Thank you for the link. Its an alternative way to identify yourself. I've googled WebAuthn. Its something that might serve a similar purpose to the Authenticator but they are not really related.

I'm trying to find some relatively simple way to make the use of Authenticator for TOTP much more secure. You have put in a lot of effort enhancing your version of Authenticator over that of Goggle's - and in its early days I was the one pushing you to add features. Now I'm back with some more! :)

Using the TOTP scheme with a physical hardware token is completely secure (so far as there can only be one physical token with the same secret).

But when Authenticator is used on a smartphone to simulate such a token, it really fails all the tests for security as the key that is supposed to be secret is basically handed over in clear text and can be installed in any number of phones - either intentionally or surreptitiously.

Google Authenticator was basically a very bad implementation of TOTP and that unfortunately is carried over to the Devolutions Authenticator.

I was hoping that you may be interested in extending the Authenticator's functionality to make it secure - something that others may well follow.

As things stand, I could not recommend the use of something like the Authenticator for sites that really need to ensure that the right person is logging-in.

Authenticator should be functionally identical to a TOTP hardware token - with the user unable to find out the secret within his device.