Is using just a TOTP based authenticatation safe or a privacy issue

Question

Hello HN, I am envisioning a webapp with the least amount of friction to enroll a user. Is using a TOTP based authentication with no password a safe technique or does it have some glaring holes that I am missing.Example - user enters an email and receives a TOTP based 8 digit code valid for the next 10 minutes. The user enters the code and is able to view the authenticated information.

victor_e · Accepted Answer

It transfers the dependency from something they know (password) to something they have access to (phone or email). That thing they have access to could be compromised which then means their account is compromised. That is a risk acceptance question you need to consider.Also to consider: What happens if a user loses their phone? How do they get access to their account?

pabs3 · Answer

If the TOTP code is transferred via email, then it is less secure because email is usually transferred in the clear unencrypted. If the TOTP secret is transferred over encrypted http connections via QR code or similar to the user, so the TOTP codes can be generated locally on their phone or similar, then that is more secure.
You also have to make sure to generate and transmit recovery codes in case they lose their phone.
TOTP is also kind of annoying to use.
The best auth from a security PoV is Webauthn.

sp332 · Answer

By "receives", you mean they go to their TOTP app and get a code, right?