63

Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the current timestamp, a new password is generated every 30 seconds.

If anyone has the shared key, then they can generate the OTP themselves using the TOTP algorithm. Isn't this similar to a password? Doesn't it get reduced to having two passwords - One is the password that you use to login and the other is the shared key between you and the server?

Machavity
  • 3,766
  • 1
  • 14
  • 29
Ashwin
  • 1,607
  • 3
  • 18
  • 25
  • The main risk is that the providers database of secrets is breached. Given the frequency of this kind of event, it's a pretty significant risk, in my estimation. If you want something that isn't subject to that kind of thing, you should look at something like [FIDO2](https://fidoalliance.org/fido2/). – JimmyJames May 10 '19 at 16:14

2 Answers2

100

Passwords are revealed every time you use them: if you have two passwords and you type them into a fraudulent web form, they are both stolen.

The shared secret can't be calculated from a single OTP (or even from a set of them**), so a stolen OTP is only valid for limited time. The shared secret is never transferred during the authentication, so stealing it requires a different attack vector: access to the device where it is kept or copying it (e.g. its QR code) during the initialization.

** Calculating shared secrets backwards would be very impractical, as it's a one-way algorithm. Also, the minimum key length is 128 bits and the algorithm produces only 6 numbers i.e. ~20 bit OTP. This means for every OTP there would be oceans of potential shared secrets, and finding even a single match would only be possible with brute force i.e. calculating 2^128 hashes for every 30 seconds and ruling out every OTP that didn't match.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • 2
    Your answer prompts me to ask if we know how many OTPs (and their times of generation) would be needed in order to have a chance of calculating the secret. Hopefully it's a number so high that it's not something to be concerned about. – kjack May 09 '19 at 08:50
  • @kjack: The comment would have been too long, so I just edited it to my answer. – Esa Jokinen May 09 '19 at 09:05
  • 7
    @kjack 6 digits contains 19.93 bits of entropy. So, you would need at least 7 OTP tokens to get the needed 128 bits of information (128/19.93=6.42). Then you could try to brute-force the key, which needs in average 2^127 computations, which is infeasible in the foreseeable future. – A. Hersean May 09 '19 at 09:12
  • 14
    At least, indeed; 7 tokens don't necessarily contain nearly enough information, <7 never. – Esa Jokinen May 09 '19 at 09:15
  • @A. Hersean, also Esa Jokinen thank you for your prompt replies. Though I don't understand fully your explanations it sounds like it's not something we need to worry about in our lifetimes! – kjack May 09 '19 at 09:20
  • 4
    @kjack They're looking at two different kinds of attacks. The 7 tokens thing deals with the raw amount of information in the keys. If an attacker sees 6 tokens, they have 120 bits of information total. As the key is 128 bits long, they literally cannot have gathered enough information to crack the key with 6 tokens. It's like trying to guess the next number that will come up from 3 dice rolls in a row. The second part is, assuming the attacker has at least 128 bits worth of information (by seeing at least 7 keys), they still actually have to break the HOTP algorithm itself. – Cort Ammon May 09 '19 at 16:07
  • At the core of HOTP is a SHA1 cryptographic hash. While SHA1 has seen a few attacks start to chip away at it, it is considered to still be secure for preimage attacks, which is the kind of attack you'd need to go after the key. Thus, the best that attackers can do (to our knowledge), is a brute force of the entire set of potential 128-bit keys. That is not feasible for any hardware we expect to see in the forseeable future. It is more likely that someone will discover a preimage attack for SHA-1 before someone brute forces a 128 bit key. – Cort Ammon May 09 '19 at 16:10
  • And if they attack SHA-1 successfully, you are a small fish compared to those who would be attacked! – Cort Ammon May 09 '19 at 16:11
  • If you want a sense of what "forseeable future" means, I read a post which said if you used the *entire* amount of power that the sun provides the earth to brute force a 128-bit key, using the best energy efficiency numbers for modern hardware, it would still take 34,000 years to bruteforce the keyspace. In the mean time, plants die because we stole all the sunlight. – Cort Ammon May 09 '19 at 16:14
  • @CortAmmon: Information in a collection of data is not the sum of the information of each datum taken separately. You have to subtract out the mutual information to avoid double-counting it (inclusion-exclusion principle, just like with probabilities). The "6 is not enough" argument depends on transitivity of inequalities. The transitivity implication is not reversible, so you can't get to "7 is enough". – Ben Voigt May 10 '19 at 00:16
  • @BenVoigt True, I should have written "at most 120 bits." – Cort Ammon May 10 '19 at 02:04
  • @BenVoigt it's less that "7 is enough", and more that "7 is the *minimum required* number of keys to *potentially* have enough". At least that's what I understood from the comments above... – Doktor J May 10 '19 at 16:21
  • @DoktorJ: Cort had directly made the claim that each new capture added another ~20 bits of information. "If an attacker sees 6 tokens, they have 120 bits of information total." This claim was not true. – Ben Voigt May 10 '19 at 16:25
  • Sure it's true. Cort never said they were *unique* bits, which is what's relevant to an attacker. If you know my password is 8 characters long (using 7-bit ASCII encoding that's 56 bits) and you manage to collect the following from shoulder-surfing over several login attempts: `a`, `3`, `a`, `a`, `2`, `a`, `3`, `2` you technically have 56 bits of data there... but is my password actually `a3aa2a32`? No, you can only be certain my password contains one or more each of `a`, `3`, and `2`. It's a rough analogy, but I think it makes the point. – Doktor J May 10 '19 at 20:23
  • @DoktorJ: There's a difference between bits in an encoding, and bits of information. In your example the representation is 56 bits but the information is far less. – Ben Voigt May 10 '19 at 20:38
  • That's why I said the analogy was rough. My point remains the same, obtaining bits (what Cort was talking about) is not the same as obtaining *unique* bits (what you're talking about). – Doktor J May 10 '19 at 20:58
-9

OTPs are a way of not needing trusting someone with your password when you require them to know something of it (like that you have knowledge of it). In most implementations this is way things work anyway. Passwords are not passed around the net. Salted hashed passwords are. The problem is you don't necessarily trust that that's how everyone is doing things. Services such as google's just take that step away from the place your logging into and do it themselves.

So you're correct. The same things happen, nothing really changes. The only difference is who you trust, but that can be important.

ANone
  • 230
  • 1
  • 4
  • 24
    "Passwords are not passed around the net. Salted hashed passwords are." - If you mean passwords are usually salted and hashed client-side, that's incorrect. – AndrolGenhald May 09 '19 at 14:48
  • 4
    This is based on personal conception, but it's not backed up by the facts. – Esa Jokinen May 09 '19 at 19:50
  • 9
    This answer is totally incorrect. OTP's are a second step after a user has been verified by password. While salted and hashed passwords are stored on a company's servers, they should never leave the servers. The user's password is encrypted with SSL when they log in, and the hashing process happens server side. The client should never be able to know what the resulting hash or salt is. – Kevin May 10 '19 at 03:09
  • This is false. OTPs like this are an entirely separate form of authentication, requiring access to something rather than knowledge of something. Mixing that up is an easy mistake to make! – securityOrange May 11 '19 at 19:48