L The IntegrAuth Lab

← All practicals

P4

Add a second factor

Enroll a TOTP authenticator (RFC 6238).

  1. 1

    Set up TOTP and add the secret to your app.

    The seed is generated server-side and stored AES-GCM-encrypted — the database never holds it in the clear.

  2. 2

    Enter a 6-digit code to confirm enrollment.

    Codes are HMAC-SHA1 over a 30-second step (RFC 6238); a used step is remembered so the same code can’t be replayed.

Do it

This one happens on your account page — register a passkey, revoke a session, or enroll TOTP there.

Go to your account →

🩻 X-ray — what actually happened

Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.

Loading…