‐x RESEARCH: TOTP Authenticator app usage - glenw921/TripleCrypt GitHub Wiki

DEPRECATED: There is no way to create an inviolable gate with TOTP/HMAC validation without a server to ensure the step isn't skipped.

Google Authenticator, Microsoft Authenticator, and similar apps use Time-based One-Time Passwords (TOTP), which generate a unique password that changes every 30 seconds. These codes are based on a shared secret between the app and the PWA and do not require an internet connection once the secret has been exchanged.

Compatibility:

Once the shared secret is established during initial setup (while the device is online), TOTP can work completely offline. The user simply enters the code generated by their app to authenticate. Feasibility for TripleCrypt:

Yes, TOTP methods like Google Authenticator or Microsoft Authenticator can be used. The initial setup would need to be done while the device is online (to sync the secret), but thereafter the PWA can verify the TOTP codes offline. How It Works: During the initial setup (when TripleCrypt is online), the user pairs their device with an authenticator app by scanning a QR code (containing a shared secret). Afterward, the user can use their authenticator app to generate TOTP codes offline, which TripleCrypt can verify locally using the same shared secret.

QUESTIONS: (1) I envision TripleCrypt will be on a separate host device from the TOTP host device. Why must these devices be "online" to "sync the secret"? Wouldn't TrypleCrypt just display a QA code for the TOTP app to capture, or wouldn't TripleCrypt just generate a code to enter into the TOTP app?