Add new docs for OTP authentication

[Elchi3]

Description

Adds new documentation describing OTP-based authentication. The article discusses three ways: email, SMS, and TOTP (authenticator apps)

Motivation

Developing a series of guides for implementing authentication covering various techniques, including passwords, one-time passwords, federated identity, and web authentication.

Additional details

• Overall OTP is presented as a second factor or when confirming user intentions (e.g., payments) and not as a general purpose authentication method.
• TOTP is presented as the most secure delivery method of one-time passwords.
• Several flaws with email and SMS-based deliveries are discussed

Related issues and pull requests

None.

[github-actions]

Preview URLs

• /en-US/docs/Web/Security/Authentication/OTP
• /en-US/docs/Web/Security/Authentication

Flaws (4)

Note! 1 document with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/Security/Authentication
Title: Authentication
Flaw count: 4

• broken_links:
  • Can't resolve /en-US/docs/Web/Security/Authentication/Federated_identity
  • Can't resolve /en-US/docs/Web/Security/Authentication/Passkeys
  • Can't resolve /en-US/docs/Web/Security/Authentication/Session_management
• macros:
  • Can't resolve /en-US/docs/Glossary/JWT

External URLs (12)

URL: /en-US/docs/Web/Security/Authentication/OTP
Title: One-time passwords (OTP)

• https://2fas.com (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/A5/1 (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/Base32 (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/SIM_swap_scam (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/Signalling_System_No._7 (1 time) (Note! This may be a new URL 👀)
• https://ente.io/auth/ (1 time) (Note! This may be a new URL 👀)
• https://pyauth.github.io/pyotp/ (1 time) (Note! This may be a new URL 👀)
• https://wicg.github.io/sms-one-time-codes/ (1 time) (Note! This may be a new URL 👀)
• https://www.ietf.org/archive/id/draft-linuxgemini-otpauth-uri-00.html (1 time) (Note! This may be a new URL 👀)
• https://www.microsoft.com/en-US/security/mobile-authenticator-app (1 time) (Note! This may be a new URL 👀)
• https://www.npmjs.com/package/otpauth (1 time) (Note! This may be a new URL 👀)
• https://www.rfc-editor.org/rfc/rfc6238 (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-11-19 20:01:10)

[wbamberg]

I haven't reviewed the whole thing but I did review the TOTP section, which seems like the most important one. I will take a look at the rest tomorrow.

[wbamberg]

This is something @hamishwillee always says, which is that we should put the recommended option first (i.e. this one), and the others as alternates/informational. Up to you, but something to consider, and I can see the logic in it.

[wbamberg]

this looks like two separate flows, right? Registration and sign-in? I think it might be worth making this explicit, and maybe using the two flows to structure this section as well.

I also think it's worth really spelling out the flows, like:

• the user installs an authenticator app
• the user visits the website and asks to sign up
• the website ....

...even including stuff that might seem obvious.

[wbamberg]

Added in 5130252.

[wbamberg]

Suggested change

	To setup TOTP, a website needs to share a secret key with the user. A TOTP secret key is a randomly generated [Base32](https://en.wikipedia.org/wiki/Base32) encoded seed. For example, the following command generates a 32-character Base32 random string::
	To set up TOTP, a website needs to share a secret key with the user. A TOTP secret key is a randomly generated [Base32](https://en.wikipedia.org/wiki/Base32) encoded value. For example, the following command generates a 32-character Base32 random string::

...but also I think we need more context than "the following command" - I guess it is a bash command, but you don't say that. And what is it actually doing? I don't want to paste random bash commands into my website code without some idea of what the bits of them are.

And talking about flows, it's better to always say who needs to do what.

[wbamberg]

I took out the Bash snippet, mostly because I expect people will use a library for working with TOTP, and we should probably encourage that.

[wbamberg]

Suggested change

	```plain
	```bash

?

[wbamberg]

I don't fully understand this, and again I think spelling it out is helpful. For example:

• the user asks to create an account
• the website generates a secret, and then generates a QR code from that secret (by doing XYZ)
• the user ...(does something with the QR code)

I don't really understand what the website does with this otpauth URI. How does this enable sharing the secret value.

[wbamberg]

Tried to clarify this in 5130252.

[wbamberg]

"The URI is an URL query string" seems wrong?

[Elchi3]

-> has

[wbamberg]

Updated in 5130252.

[wbamberg]

"you" here seems to refer to the user, not the web developer. Which I think is wrong: we should consistently address the web developer.

What are the security implications of the shared secret? What if an attacker gets access to the secret? In the preamble, we say "Unlike a password, there's no long-term secret to remember or to store securely" (my words actually!) Is this incorrect?

[wbamberg]

Relatedly it would be good to talk about attacks on (T)OTP. Earlier on we mention phishing but it's kind of implied that this is only a concern for certain versions of email OTP, but I think all OTP variants are vulnerable to phishing: https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Phishing#multi-factor_authentication.

Somewhere too we should talk about pros and cons. One con I can think of is that users have to install an authenticator app, which is extra friction and another component that we have to trust (I guess?).

[Elchi3]

Add a section about Weaknesses:

Vulnerabilities
Interception: SMS (worst) and email
Phishing: SMS, email, TOTP
Shared secret vulnerability with TOTP tokens (like a database compromise with passwords, also going on on the client side in the authenticator app)

User experience
SMS: privacy concerns, need to have a phone
email: latency
TOTP: need to install an authenticator app and make sure it is secured

[wbamberg]

Added in 5130252.

[wbamberg]

"much stronger mechanism" - why is (T)OTP weak compared with passkeys?

[wbamberg]

Added more specific guidance (specifically, phishing resistance) in 5130252.

[wbamberg]

How can a website do this?

[Elchi3]

Say that this is a weakness and not say it would be a good practice, because there isn't really something you can do. Take this out

[wbamberg]

Done in 5130252.

[wbamberg]

I wonder if it's worth being stronger here and just straight out un-recommending SMS, rather than giving good practice recs.

[wbamberg]

Done in 5130252.

[wbamberg]

Also and maybe more importantly: with TOTP the code is not sent by the server. Any time the code is sent from the server to the user, there is the possibility that it could be intercepted. So in this sense TOTP is intrinsically more secure.

[wbamberg]

Noted in "Weaknesses" in 5130252.

[wbamberg]

@Elchi3 , I've made some edits to this article, if you would like a look. Hope I have not done too much violence to it. I guess you can't technically approve your own PR :) but at least let me know if you are happy.

[Elchi3]

Looks great, Will! I think this can be merged. Minor thoughts only.

[Elchi3]

Not sure if we want to mention it, but the authenticator app is not a must. If you have the algorithm at hand, you can calculate it however you like (and you are responsible for how you store the shared secret). In my previous version I warned about this and said that (trusted) authenticator apps are better than say random online services .

[wbamberg]

I didn't say this because I'm not sure how relevant it is, especially for web developers, who are the audience here.

Even for end users, I'm not sure how relevant it is - yes, you don't need an app, but that's true of lots of things, and it seems perverse to not use an app when it's much easier and probably more secure to use one. Is this a realistic use case that we want to highlight?

And for web developers, their need is (perhaps) to communicate to their users how to use TOTP, which might include something like "you'll need to install an app if you haven't already, you can get one from X or Y or Z". Is it helpful for them to say "BTW you don't need an app, but it's probably less secure if you don't"? Isn't it better for them (and us) just not to acknowledge this option, and keep it simple for users?

I suppose one thing about TOTP is that security of the secret on the client is a risk that the server can't control (similar to whether a user looks after their passwords) and it might be worth mentioning this (as an extension to the general concern about securing the shared secret). But I'm not sure this is worth it.

[Elchi3]

Yeah, I agree, let's not get into this then.

[Elchi3]

Thank you so much, Will! This is ready to go from my side. Can't merge my own PR, but if you want to r+ and merge, I would be more than happy. It was great talking this one through in person at W3C TPAC in Kobe with you!!

[wbamberg]

It was great talking this one through in person at W3C TPAC in Kobe with you!!

Likewise!