Per RFC (for HOTP, which is just TOTP w/o the time element)... "The HOTP value m... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		quaffapint on March 18, 2022 \| parent \| context \| favorite \| on: Ask HN: Does anyone else think this 2FA everywhere... Per RFC (for HOTP, which is just TOTP w/o the time element)... "The HOTP value must be at least a 6-digit value. It is also desirable that the HOTP value be 'numeric only' so that it can be easily entered on restricted devices such as phones." 6 was defaulted to in the TOTP for being 'secure enough' and easy enough for most people to remember.

Spooky23 on March 18, 2022 [–]

Exactly, it’s a pragmatic choice.

There are scenarios where that doesn’t provide sufficient assurance, but those scenarios are also not really suited for TOTP in the first place!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact