phishing defense
2 articles with this tag
What is a one-time password (OTP)? TOTP vs HOTP vs SMS, and its limits
A one-time password (OTP) is a short-lived, single-use code that becomes invalid once used. Types: authenticator-app TOTP (time-based), HOTP (counter-based), and SMS-OTP. It's strong against leaked and reused passwords and is commonly the 'something you have' factor in 2FA. But it has a limit: adversary-in-the-middle (AiTM) phishing can relay an OTP through a fake site and still get in. True phishing resistance comes from a domain-bound passkey. OTP is 'much better than nothing, but not the finish line.'
What is two-factor authentication (2FA)? vs two-step, and the strength of each method
Two-factor authentication (2FA) strengthens identity checks by adding a different category of proof — 'something you have' or 'something you are' (a code, key, or biometric) — on top of 'something you know' (your password). It is strictly not the same as two-step verification (two checks, not necessarily two categories). Strength depends on the method: SMS/email < authenticator app (TOTP) < passkey/security key (FIDO2). This site's stance: turn on some 2FA everywhere first, then move key accounts to methods you can't hand to a phishing site.