Site Map - skip to main content

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes every weekday Monday through Friday.
This page was generated by The HPR Robot at

hpr3784 :: Two factor authentication without a phone number

Diving into privacy-aware and offline methods to generate one time passwords

<< First, < Previous, , Latest >>

Thumbnail of Celeste
Hosted by Celeste on 2023-02-02 is flagged as Clean and is released under a CC-BY-NC-SA license.
2FA, OTP, TOTP, HOTP, security. 1.
The show is available on the Internet Archive at:

Listen in ogg, spx, or mp3 format. Play now:

Duration: 00:18:27

Privacy and Security.

In this open series, you can contribute shows that are on the topic of Privacy and Security

Many services implement 2FA (Two factor authentication) by sending you a OTP (One Time Password) using an SMS with a random code, but this forces you to give them your valuable phone number. What alternatives do exist?

Let's dive into the HOTP, used by some banks years ago through a physical token and the recent TOTP, which both let you generate completely offline codes without using any phone number or any other personal detail. They use the HMAC technique usually with a SHA-1 one-way hashing function, but other hashing functions can be used too.

Useful links:

  • a little visual explanation I found here
  • Aegis android OTP generator
  • use TOTP in KeepassXC for a desktop generator guide

Let's keep Webauthn maybe for a future episode, I'm still exploring it and have to do more research.


Subscribe to the comments RSS feed.

Comment #1 posted on 2023-02-07 21:22:10 by Zen_floater2

Thank you for making this podcast

I found your version of two factor authorization interesting and would love it if more companies implemented common sense rather than marketing.

Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).

Provide feedback
Your Name/Handle:
Anti Spam Question: What does the letter P in HPR stand for?
Are you a spammer?
What is the HOST_ID for the host of this show?
What does HPR mean to you?