8

Lets use Google Authenticator as example. A 6 digit code is generated every 30 second. Each random attempt has 1/1,000,000 chance of success.

Server will usually accept code of ±30s which increased the chance of each attempt to 3/1,000,000

If the attacker tries one code every min for 200 days then he/she will have 92.5% chance of breaking the system.

What are some counter measures that big companies like Google/Amazon/Facebook/Twitter/Microsoft use to mitigate this issue?

Steve
  • 343
  • 2
  • 7
  • 3
    First mitigation is throttling. After a few failed tries, it goes from being able to guess once per minute to being able to guess once every 15 minutes. Your 200 days goes to 3,000 days. Next mitigation is logging when accounts and IPs get throttled, and when something is consistently throttled, let a human (account owner, admin, etc.) know that someone is actively attacking. – Ghedipunk Jul 29 '19 at 20:22
  • See also [Two factor brute force protection](https://security.stackexchange.com/questions/120371/two-factor-brute-force-protection). – Sjoerd Jul 30 '19 at 08:43
  • See also [Best practices for handling wrong TOTP tokens](https://security.stackexchange.com/questions/145604/best-practices-for-handling-wrong-totp-tokens) – Sjoerd Jul 30 '19 at 08:46
  • @Sjoerd I'm afraid that your two linked answers do not help against the specific attack described here. – A. Hersean Jul 31 '19 at 16:34
  • First mitigation is the first factor :) – eckes Aug 01 '19 at 01:01

1 Answers1

2

Consecutive failures on an account since last success should be a red flag.

Increasing lockout time for attempts from devices new to that user might have value.

If the account is consistently being rejected at the 2nd factor then you can presume that the password has been compromised and reach out to the user.

In any case, pay attention to consecutive failures.

tjd
  • 755
  • 4
  • 6