[16:21:47] <MirahezeRelay>	 <Agent#3928> > Note that TOTP is not generally considered a form of 2FA because it relies on passwords, but is referred to as 2FA by the software
[16:21:48] <MirahezeRelay>	 <Agent#3928> I didn't know didn't consider TOTP as 2FA
[16:22:09] <MirahezeRelay>	 <Agent#3928> Typically, I've heard both terms be used somewhat interchangeably when TOTP is the only available option
[16:23:58] <Orange_Star>	 I've never heard that opinion until now
[16:25:02] <MirahezeRelay>	 <Agent#3928> I'm searching on Google whether TOTP is not a form of 2FA but I'm not finding anything
[16:25:11] <Orange_Star>	 The requirement for it to be 2FA is to be something you have (or something you are, though that's less common in the online world), if you don't know the TOTP secret key it is prac
[16:25:18] <Orange_Star>	 it is 2FA imo
[16:26:20] <Orange_Star>	 though perhaps more susceptible to hacks stealing the secret key
[16:27:03] <MirahezeRelay>	 <Agent#3928> Just asked ChatGPT what they thought and they said TOTP = 2FA
[16:27:07] <MirahezeRelay>	 <Agent#3928> AI is never wrong \:P
[16:27:51] <MirahezeRelay>	 <Agent#3928> but yeah, I also think it's 2FA
[16:27:57] <MirahezeRelay>	 <Agent#3928> Fits the name too, two factor authentication
[16:28:05] <MirahezeRelay>	 <Agent#3928> Factor one is your password, factor two is the TOTP
[16:42:20] <MirahezeRelay>	 <Gummiel#0001> [1/6] Well first of all no authentication is 2FA on its own, for something to be 2FA it have to relies on 2 different factors of authentication. the 3 main factors are:
[16:42:21] <MirahezeRelay>	 <Gummiel#0001> [2/6] 1: Something you know (Password, pincode etc.)
[16:42:21] <MirahezeRelay>	 <Gummiel#0001> [3/6] 2: Something you have (Your phone, a a seperate dongle etc.)
[16:42:21] <MirahezeRelay>	 <Gummiel#0001> [4/6] 3: Something you are (Biometrics, ie fingerprint, irisscan etc.)
[16:42:22] <MirahezeRelay>	 <Gummiel#0001> [5/6] TOTP would certainly fall into something you have (so together with a traditional password and/or biometrics would be 2FA yes)
[16:42:22] <MirahezeRelay>	 <Gummiel#0001> [6/6] Yes you could try and argue since it relies on a code it is something you know, but due to how quick those codes changes, it is not really something you know longterm, but rather a way to verify that your have your phone at the moment of login.
[16:50:14] <MirahezeRelay>	 <Gummiel#0001> [1/2] There are a couple other minor factors that can be added as well, like your location, or even what time you try to access, though they are much more rare, and should not be used as one of only 2 factors.
[16:50:14] <MirahezeRelay>	 <Gummiel#0001> [2/2] And ofc you can also have all 3 main (and potential more minor) factors, at which point you are beyond 2FA, and into just MFA(multi-factor authetication) instead
[17:35:39] <MirahezeRelay>	 <RhinosF1#3648> @Agent TOTP is the best freely available second factor in my opinion
[17:35:56] <MirahezeRelay>	 <RhinosF1#3648> The best is FIDO compliant authentication
[17:36:14] <MirahezeRelay>	 <RhinosF1#3648> Ideally locked with a PIN but that becomes TFA
[17:36:50] <MirahezeRelay>	 <RhinosF1#3648> And ideally with your account locked down so password reset can only be done with 2 keys
[17:37:57] <MirahezeRelay>	 <RhinosF1#3648> You shouldn't store your Fido key same as your password so don't use your phone has a hardware key though