On TOTP standards

Google’s introduction of the otpauth URI scheme made it easy for people and organization to deploy and for individuals to enroll in TOTP authentication. However, the initial implementations and description of the scheme left a number of ambiguities in and inconsistences in place.

This 2019 PasswordsCon talk discussed those ambiguities and contradictions along with some of the consequences I had observed. I agrue that in general we need more well-constructed standards and complience with those standards, even though I don’t offer a clear path for fixed TOTP.

Context for these slides

This talk was presented when I worked for 1Password. I have updated contact information in the slides and switched to typefaces which have freer licenses.

PasswordCon has a tradition of including pictures of cats on slides that present background that most audience members are already familiar with. I had also been challenged to include something from my visit to the Vasa Museum.