TOTP and WebAuthn: Two-Factor Authentication Without Authy
How second factors actually work, and how to own yours
There was a moment, somewhere around the third time Authy decided my desktop app should no longer exist, that I realised I had handed the keys to my entire digital life to a company whose roadmap I had no say in. The desktop client was deprecated, the cloud backup was a black box, and exporting my tokens turned out to be deliberately awkward. That’s the wrong feeling to have about the thing standing between an attacker and every account I own.
So let’s talk about what two-factor authentication actually is under the hood, because once you understand the mechanism, the question “which app should I use” mostly answers itself — and the answer is rarely a closed cloud service.
1 TOTP is just a shared secret and a clock
The codes that tick over every thirty seconds are not magic. TOTP (Time-based One-Time Password, RFC 6238) is built on a stupidly simple idea: the server and your authenticator share a secret, you both look at the current time, and you both run an HMAC over it. The six digits are just the truncated output of that HMAC. When you scan a QR code during setup, you’re copying that shared secret — and that’s the whole game.
You can prove this to yourself with a one-liner, given the base32 secret the site handed you:
# secret is the base32 string from the QR code
oathtool --totp -b JBSWY3DPEHPK3PXP
# 282760 (changes every 30s)That’s it. No server contacted, no internet required, just maths over a secret and the wall clock. Which means whoever holds the secret can generate your codes. If that’s a cloud service you can’t export from, you don’t really hold it — they do.
The practical upshot: store the secret somewhere you control. I keep mine in a password manager that supports TOTP, so the secret lives in the same encrypted vault I already back up myself. Some people prefer a dedicated open-source app that exports a plain, portable file. Both are fine. What’s not fine is a service that can lock you out of your own seeds.
2 TOTP’s weakness is the bit nobody mentions
TOTP is enormously better than nothing. It defeats password reuse and credential-stuffing outright. But it has one fatal flaw: it’s phishable. If a fake login page asks for your password and then your six digits, you’ll happily type both, and the attacker relays them to the real site within the thirty-second window. The code doesn’t know which site it’s being typed into. Neither do you, when the domain is paypa1-secure.com at 7am.
This is not theoretical. Real-time phishing kits that proxy your TOTP straight through to the genuine site are a commodity now. Which is exactly the problem WebAuthn was designed to kill.
3 WebAuthn binds the login to the actual website
WebAuthn (the web-facing half of FIDO2) replaces the shared secret with public-key cryptography, and — crucially — it cryptographically ties every credential to the origin it was created for. Your authenticator, whether that’s a YubiKey, your phone’s secure enclave, or a Windows Hello chip, generates a unique key pair per site. The private key never leaves the device. To log in, the site sends a challenge, the device signs it, the site verifies it against the public key it stored at registration.
Here’s the part that makes it unphishable: the browser includes the real origin in what gets signed. A credential registered for github.com simply will not respond to a request claiming to be github.com when the page is actually githubb.com. There’s nothing for the user to get wrong, because the user isn’t in the loop. The browser refuses.
The trade-off is recovery. A YubiKey can be lost or left in a hotel. The honest discipline is to register at least two keys on every important account — one on your keyring, one in a drawer at home — and to keep recovery codes printed somewhere offline.
Account recovery checklist (do this once, thank yourself later):
[ ] Hardware key #1 registered (daily carry)
[ ] Hardware key #2 registered (backup, stays home)
[ ] Recovery codes printed and stored offline
[ ] TOTP seed in a vault YOU can export from4 Passkeys are WebAuthn with the awkward bits smoothed off
You’ll have noticed “passkeys” everywhere lately. A passkey is just a WebAuthn credential that can be discoverable and, optionally, synced across your devices by a platform vault rather than locked to a single hardware token. The cryptography and the anti-phishing guarantee are identical. The difference is convenience versus the absolute, hardware-bound assurance of a key that physically cannot be copied. For most accounts a synced passkey is plenty; for the handful that really matter — your email, your password manager, your domain registrar — I still prefer a hardware key that can’t be exfiltrated by malware on a synced device.
5 The verdict
Use WebAuthn or passkeys wherever a site offers them, especially for the accounts that can reset everything else: email, password manager, registrar, GitHub. They’re the only second factor that survives a convincing phishing page. Keep TOTP as the fallback for the long tail of sites that haven’t caught up — but hold the seeds yourself, in something you can export and back up, not a cloud silo that can disappear a client out from under you.
Who is this for? Anyone who’s ever felt that small cold dread realising their entire second factor lives in one app they don’t control. The fix isn’t another shiny app. It’s understanding that 2FA is a secret or a key pair — and making sure the one holding it is you.
Related Content
