Google’s introduction of the otpauth URI scheme made it easy
for people and organizations to deploy
and for individuals to enroll in
TOTP authentication.
However, the initial implementations and description of the scheme left a number of ambiguities in and inconsistencies in place.
This 2019 PasswordsCon talk discussed those ambiguities and contradictions along with some of the consequences I had observed. I argue that in general we need more well-constructed standards and compliance with those standards even though I don’t offer a clear path for fixing TOTP.
Context for these slides
This talk was presented when I worked for 1Password. I have updated contact information in the slides and switched to typefaces which have freer licenses.
PasswordCon has a tradition of including pictures of cats on slides that present background that most audience members are already familiar with. I had also been challenged to include something from my visit to the Vasa Museum.
