January 19, 2026
DIY 2FA or DIY disaster?
MTOTP: Wouldn't it be nice if you were the 2FA device?
Geeks pitch “be your own 2FA” and commenters clap back: “It’s just a password”
TLDR: mTOTP lets you compute login codes in your head instead of using a device. The community is split: some love the human-first experiment, while many argue it’s not true two-factor authentication and warn about security risks, calling it basically a password with extra steps.
Meet mTOTP, the brain-powered code maker that wants you to be your own security gadget. Instead of a phone app or a tiny key like a YubiKey, you do a simple set of number steps in your head to generate a one-time login code. The creator even says it’s not production crypto, just an experiment, and you pick the exact time you’ll log in—turning authentication into a planned moment, not a guess. Cue the comments section, which turned into a full-on cage match.
The loudest chorus: “This isn’t real 2FA.” Skeptics argue that two-factor authentication means something you own or are (like a device or fingerprint), not “something you know plus mental effort.” One critic boiled it down to a password with cardio, while another called it a manual “hash with a timed salt” (translation: you mix your secret with the current time). Security folks warned that a few correct codes could let an attacker reverse the secret, so don’t type it into sketchy sites.
But there’s curiosity too. Fans say it’s auditable, deterministic, and a fascinating test of how far human-friendly security can go. Memes flew: “CrossFit for logins,” “Be your own YubiKey,” and “Brain gains > device chains.” Whether genius or gimmick, this brainy login hack lit up the crowd—and the debate is spicy
Key Points
- •mTOTP is an experimental, human-computable OTP protocol derived from a numeric secret and a planned login time.
- •The design goals are determinism, mental tractability, auditability, and reproducibility by humans and software.
- •The algorithm includes building a time vector, deriving a key-based S-box, mod-10 digitwise combination, substitution, diffusion, folding, and final digit calculation.
- •The protocol allows OTPs for future times; the verifier checks against an agreed authentication moment.
- •Demos, invariants/sanity checks, a testing tool, and a PAM plugin are provided; a Keycloak plugin is planned (TBD).