I am evaluating a two-factor authentication system that uses a time-based one-time password algorithm. This runs as an Android application.
As you would expect, this seems to be using a seed and the current time to generate a one-time passcode. The seed is stored in the data/data directory so is relatively well protected.
However, the time is fully under my control. I have set the time into the future, grabbed codes, and then used the on schedule.
This seems like a bit of a glaring hole in soft-tokens. Get hold of the phone for 10 minutes, set the time to the future, grab a series of tokens, and then reset the time.
If I had a hardware token, it would be virtually impossible for me to change the time into the future, grab codes, and then revert the time in the space of 10 minutes.
I feel this is a viable risk for many users who can be careless with leaving their phone unlocked.
So:
- Why is this not a problem?
- How would you mitigate against it if it is a problem?