4

I need to generate and valid a password / token for an hour.

Client -> generate password (valid for one hour)
Server -> valid it within an hour.
//System needs to work offline (TOTP)

TOTP is normaly 30 seconds... So if i change the TOTP interval to 3600 seconds will i then break the security?

Also open for any better ides then TOTP ?

Stweet
  • 143
  • 2

1 Answers1

3

That is not a good idea for several reasons:

  • OTP has to be second factor! It can not be the only factor in authentication
  • 30 seconds for TOTP is secure because during that time attacker can not test all the possible options + the first factor.
    • For 6 digits it is 1000000 combinations and after 30 seconds (>3000 combinations per second), the combination is different.
    • If you extend this time of validity to 1 hour, attacker have plenty of time to brute force this combination (~27 combinations per second)

For this use case, you should choose different way of distributing password

  • SMS
  • Password is enabled for that one hour by something on the server side( in that case you need to protect that password).
Jakuje
  • 5,229
  • 16
  • 31
  • thanks for a nice explanation on this ! :) So TOTP Interval, is 'just' for slowing down brute force, the 6 digits is unique what ever interval is 1 secound or 2 hours ? (bigger interval dosen't make more number combinations valid ?) – Stweet Mar 09 '17 at 20:45
  • Well ... TOTP interval says how long the password is valid. For the whole interval, only single password is valid. If it is valid too long, attacker can simply crack it (or has bigger chances). – Jakuje Mar 09 '17 at 20:51