1

If there is a widely accessible TOTP website (prototype: https://depperm.github.io/) that allows users to set a date and secret they can remember or a package that allows companies/developers to create their own domain/site specific tool, what possible security flaws are there beyond having information phished, key logged, or copied in person?

The date and secret would be stored encrypted on the database (and set in the same manner as a password), so when the OTP comes in a new token can be generated from the decrypted info and validated against the incoming one.

I am aware of the potential issue of client time being different than server time, but I believe there a viable solutions for this problem and I don't see it as a security flaw but a usability flaw

depperm
  • 113
  • 4

1 Answers1

2

what possible security flaws are there beyond having information phished, key logged, or copied in person

Does one really need more problems on top of these? Basically it is asking to enter critical information into an untrusted third-party site. Untrusted means here both that one cannot trust the third party to not have shady intents nor that one can trust the party to not being hacked and backdoored - since such site would be a very valuable attack target.

Apart from that what you describe is basically a black box similar to a software app and a hardware token, i.e. the specific implementation is not clear and thus one cannot point out specific implementation problems. Compared to existing approaches it is kept online though, which might provide a use DoS attacks to make it unavailable. If users rely on it to provide their authentication tokens this essentially means to deny authentication for the users.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • in regards to the 3rd party site, if this idea gains traction couldn't companies implement their own tool (no need for 3rd party site)? Would storing encrypted date/secret on a company's site next to the password make a target any more valuable than one with just a password? Thanks for your input, I hadn't thought about DoS attacks – depperm Feb 24 '21 at 11:44
  • In regards to key logged the date can be set without typing so even if someone got the secret with that method they don't necessarily have the date which can be anything basically – depperm Feb 24 '21 at 11:48
  • @depperm: *"Would storing encrypted date/secret on a company's site next to the password make a target any more valuable than one with just a password?"* - assuming that the protected value is the same it would not be more valuable. But 2FA is usually employed if the protected value is higher - which means getting the information to compromise it would be more valuable. – Steffen Ullrich Feb 24 '21 at 19:28