I am searching for a dual-pin TOTP app that looks like it is working whether it is or not. Entering the wrong PIN might cause the app to generate invalid codes while optionally wiping the real config.
Actually attempting to use the invalid code could potentially trigger all kinds of actions on the server that received the bogus login request. Sending an SOS email might be one such action.
I am not sure such a thing exists in either major app store. Thoughts?
The secret key is just an RNG output so you could also take it in 4 byte chunks and memorize 16 PRNG inputs that generate each the 4 bytes.
Or you could memorize a passphrase, take a sha2 hash of it, and then memorize a single PRNG input that spits out the bitstring diff between the hash output and the TOTP key. That way you aren’t wholly dependent on memorizing numbers and you can still safely use a more predictable and weak ‘PRNG’ that can amplify the bitstring salt out of an input.
etc.
I doubt anyone wants to search a f-91w.
The best way is to legitimately not have anything on the phone or your online presence that would cause problems, and then just be transparent (honestly, they're not after your nudes or embarrassing texts). A lot of border checks are based on feelings and if you look the part they'll quickly flick through the phone for obvious stuff they're after and will let you go once they don't find it.
If you are actually doing something that would cause issues, then you keep this off the local device and onto a remote one. Use a YubiKey or other dual-use authenticator (that gives you plausible deniability for having it - you can use the same key on benign social media accounts, etc) to access it from a secure device once you're through.
xxpor•2h ago
mrsilencedogood•2h ago
And, if you do, and you're really asking hacker news for opsec advice, I would suggest you abandon your career as a super-spy or whatever you're doing, because you're doing it very wrong.
jakedata•2h ago
ectospheno•2h ago