Setting date/time to future on soft time-based one time password (TOTP) algorithms?

Asked Dec 08 '15 at 21:46

Active Dec 08 '15 at 21:57

Viewed 164 times

I am evaluating a two-factor authentication system that uses a time-based one-time password algorithm. This runs as an Android application.

As you would expect, this seems to be using a seed and the current time to generate a one-time passcode. The seed is stored in the data/data directory so is relatively well protected.

However, the time is fully under my control. I have set the time into the future, grabbed codes, and then used the on schedule.

This seems like a bit of a glaring hole in soft-tokens. Get hold of the phone for 10 minutes, set the time to the future, grab a series of tokens, and then reset the time.

If I had a hardware token, it would be virtually impossible for me to change the time into the future, grab codes, and then revert the time in the space of 10 minutes.

I feel this is a viable risk for many users who can be careless with leaving their phone unlocked.

So:

Why is this not a problem?
How would you mitigate against it if it is a problem?

edited Dec 08 '15 at 21:57

asked Dec 08 '15 at 21:46

Cybergibbons

1,191
2
8
21

So your threat model is bad guy has access to somone's email and to their phone? – Neil McGuigan Dec 08 '15 at 21:51
Why do they need access to their email? – Cybergibbons Dec 08 '15 at 21:52
So your threat model is bad guy knows user's username and password and has access to their phone? – Neil McGuigan Dec 08 '15 at 21:59
Well, if your threat model doesn't include knowing the username and password, there isn't much point in implementing 2FA. – Cybergibbons Dec 08 '15 at 22:00

Setting date/time to future on soft time-based one time password (TOTP) algorithms?

0 Answers0