Post Syndicated from original https://lwn.net/Articles/925870/

One-time passwords (OTPs) are increasingly used as a defense against
phishing and other password-stealing attacks, usually as a part of a
two-factor authentication process. Perhaps the mostly commonly
used technique is sending a numeric code to a phone via SMS, but SMS OTPs
have security problems of their own. An alternative is to use time-based
one-time passwords (TOTPs). The normal TOTP situation is to have all
of the data locked into a proprietary phone app, but it need not be that
way.