First of all, nice work looking into the security of this kind of tool.
Let's talk TOTP
To generate your time-based passwords, we need two bits of information:
- A secret key
- The current UNIX Timestamp
The timestamp is easy -- but the secret key is meant to be a secret. Something you know, and the site you're logging into knows. Anybody else who has this key (including this site) can generate valid codes for your accounts as well.
But, this code isn't useful on its own -- we'll also need your username or email, and your password for most sites. This is the first factor in most multifactor setups.
Since it is only one factor, we cannot use it alone to log in
There are two ways of getting a code from this API. One is via a GET request, the other is POST.
This type relies on a query string parameter to transfer your secret key. This site only operates over HTTPS, so that takes some folks out of the loop -- but it doesn't change that our access.log will have your secret key, so will your browser history.
In this case, a POST request is a bit more secure, since the data is sent to our site (and isn't logged), and we render the code. Your browser history will show that you accessed this site's TOTP generator, but won't share the secret you used. Pretty sweet!
What this site is, and isn't
This site enables programmatic authentication to TOTP applications, but it shouldn't be used against production systems or sensitive data. In the event this site is compromised, one factor of your authentication may be as well. Do not use this for day to day auth, do use it for automating processes...
It is trivial to stand up a code generating service like this. I'm not that smart, but somebody on GitHub was, so that's who I'm using. If you don't trust this service but want to have the benefits, spin up a box and throw a TOTP code generator app on it. Make sure it's an API and you'll be golden!
And again, :ezclap: for taking the time to read a quick security doc. Your CISO thanks you.