I think the title should change as

"AI models hallucinate less than AI company executives"

Couldn't agree more lol While human hallucinations may only have a limited impact, the implications of AI model hallucinations are uncontrollable given their widespread use in daily life.

I recently discovered them, it is pretty cool. I really wish we could use it for our business workflows.

Also check https://conductor-oss.org/

What is the expected cost of running those tests? I think it would be a good argument to compare this to running cost of unit / integration tests for a function (based on action runners).

If it is so expensive, it can be distributed as a simple GitHub integration / action that runs perodically, what do you think?

Also see, https://dl.acm.org/doi/abs/10.1145/3663529.3664458

Client and server can potentially agree on the counter with a handshake.

How does such a handshake agreement get triggered?

How does the server know that the handshake request is not malicious? 2FA that is resettable on demand (without 2FA) effectively voids the whole concept does it not?

With HOTP, the counter is the shared secret --- but a dynamic and potentially unstable one. One failed request or one missed response and the counters on client and server are no longer in sync. Hence, a failure waiting to happen on an unreliable network.

Why counter is the shared secret? In TOTP time is the counter and it is obviously not secret, so there is no reason to think the counter would be secret as well. Clients can sync their counter to match the server.

In TOTP, time exists independent of both client and server and as you point out, is no secret to either.

In HOTP, the secret counter is not independent and must remain synchronized between client and server.

A counter that can be synchronized on demand is kinda superfluous --- not really secret and not terribly relevant either. All else being equal, an attacker can sync up just as easily as a legitimate client so why bother with the counter?

I expect HOTP exists somewhere out there in the real world but I have yet to encounter it. Every 2FA I have actual experience with has been TOTP.

> A counter that can be synchronized on demand is kinda superfluous --- not really secret and not terribly relevant either. All else being equal, an attacker can sync up just as easily as a legitimate client so why bother with the counter?

A unique counter for each authorization attempt ensures the resulting key is different for each attempt, which makes replay attacks not possible. I agree if you sync the counter two ways, it is better to use a "nonce", a totally random secret each time.

Some banks in Switzerland give customers a device that generates TOTP codes.

No, RSA is asymetric, where it has a public/private key pair.

HMAC is symetric, it only has a secret and it can be used to hash values one-way.

Agree and disagree,

Deciding on how to store the credentials is still a hard task. Even storing the secret. Ideally it shouldn't stay as a plain text in your database. If you use cloud, something like KMS can be used for additional security. Also you should still consider replay attacks, rate limits etc.

I agree in the sense that TOTP is hard to implement, no it is not. I hope this article helped people understand how TOTP works.

Hashing is done before storing the secret on the server side. Therefore they still need to communicate regarding the intial secret.

Clicking anywhere else discards it.

I have removed the popup anyway, seems like most people don't like it.

Nope not AI generated, I have used excalidraw. Only the cover page is AI generated.

Clock drawing was an asset, I didn't really spent time trying to match the time on clock to the time mentioned by the actors.