Depending on the application the TOTP secret can be transferred to another TOTP application. For example some apps display QR code which you can scan with another app and clone TOTP entry. But that is not a danger for the remote attack. The main weakness is that TOTP code, not a secret but a code that changes every so often, can be social engineered out of the victim by the attacker. If you enter TOTP on a fake website, with in a valid time frame it can be re-entered on a real website. So man-in-the-middle attack is also possible.what makes TOTP more risky than passkeys? How could an attacker get your shared secret?
With passkeys both of these dangers are mitigated. The passkey challenge-response is site specific so MITM attack is not possible. And there is nothing to give to the remote attacker. Even if they get you to disclose your PIN, it is useless without the actual Passkey device. Unless they clone your device somehow, which is not possible with something like ubikey or something like TPM, you are safe.
Statistics: Posted by SignalOverNoise — Sat May 02, 2026 10:39 am — Replies 109 — Views 6486
/fit-in/580x348/filters:format(webp)/english-betterindia/media/media_files/2026/05/18/tribal-forestry-2-2026-05-18-20-13-49.png)
