0

I was wondering about the design of totp and 2fa. I learned that 2fa is any 2 of the following authentication methods:

  • Something you know (e.g. a password)
  • Something you have (e.g. an email address)
  • Something you are (e.g. biometrics)

Since the generated codes are based on a shared secret, shouldn't totp be considered 'something you know' instead of 'something you have'? Making it not 2fa but actually the same method twice.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bart
  • 31
  • 1
  • An email address is almost always "something you know" because it's accessed using a memorized secret (a password), and can be accessed that way even without possessing any specific device (or biometric). Conversely, a TOTP key is approximately impossible to memorize - certainly nobody is likely to do so - and therefore isn't considered "something you know". – CBHacking Oct 13 '21 at 08:57
  • Using a password manager to generate random passwords makes these just as impossible to memorize. Using your argument this would also be 'something you have'. I think the main difference would be that someone else doesn't have what you have and just like a password the totp secret is also stored in some way on the server side. If someone gets hold of the secret they don't need to have anything I have to generate the one time passwords. Again just like username password credentials. – Bart Oct 13 '21 at 10:46
  • Typically, a password manager is itself unlocked using a "master" password, so anything in it is a "thing you know" same as an email account. If you're instead using a different type of password manager where the passwords are stored somewhere that is not accessible to an attacker even if they know the password for it, then yes, that's essentially a "thing you have" instead. Most people don't even use password managers, though, much less ones that work that way. – CBHacking Oct 14 '21 at 02:11

1 Answers1

1

It's a shared secret stored in a device. You don't remember the shared secret, but get the device to show proof that it has the secret and pass that along.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Isn't the same argument true for all my normal passwords in my password manager? Personally I don't remember any of them. Still I consider a normal password 'something I know' and not 'something I have'. – Bart Oct 13 '21 at 10:52
  • You can convert anything into another factor. The difference being here that with TOTP, you are not providing the secret, but proof that you have the secret, and that proof is generated by the device. "But I could work out the algorithm on paper!" Yes, but then you're converting the factor. Yes, it is a shared secret. Yes, you could create a machine-generated password and have all your devices remember and even provide that secret to whatever you need to authenticate against. These are not hard and fast taxonomies. Ultimately, they are based on how they are *used*. – schroeder Oct 13 '21 at 11:54
  • I understand what your saying. Security wise I know totp is more secure than a normal password, since you don't need to send the actual password. However I don't think everything can be converted into another factor. How can biometrics like fingerprint and iris scan be converted? I know text message is less secure, but even if your phone number is leaked, you still have to be able to receive the actual text message. If the totp secret is leaked you don't need to 'have' anything. Just 'knowing' it is enough. That's why it feels like 'knowing something' to me. – Bart Oct 13 '21 at 12:43
  • Maybe I'm overthinking this. Thanks for your answer and explanation. Security wise totp is one of the better options, so instead of giving it the proper name (2fa or not) I'll just use it anyways. – Bart Oct 13 '21 at 12:50