-1

Given the increasing widespread adoption of Time-based one-time password (TOTP) in view of SMS OTP hacks, Is Time-based one-time password (TOTP) sufficiently secure as another factor of authentication, on top of username/password?

I refer to https://blog.malwarebytes.com/cybercrime/2019/01/two-factor-authentication-defeated-spotlight-2fas-latest-challenge/ through attackers proxy-ing the credentials in real time.

Would adding another random input help to further secure TOTP?

Reference: TOTP: Time-Based One-Time Password Algorithm - https://tools.ietf.org/html/rfc6238

Nathan Aw
  • 1
  • 7
  • 12
  • From your own link: "The defeat of certain forms of 2FA isn’t a call for total abandonment nor should it be considered as one." – schroeder Jan 23 '22 at 19:40

2 Answers2

1

Is Time-based one-time password (TOTP) sufficiently secure as another factor of authentication, on top of username/password?

This depends on what you're protecting against.

For the mass of users, the threat is password reuse and automated, blind attacks that does not target the specific individuals, but rather random account-password combinations leaked.

Those attackers does generally speaking not mount a attack against your phone; they'll simply try leaked passwords.

It will also protect against random phishing mails, as simply entering username and password on phishing page will not be enough; the attacker will have to get the OTP secrets as well.

It is probably less effective against targeted threats that go after an individual user, and is willing to spend resources on attacking that single user on multiple platforms, e.g. infecting both computer and phone with malware.

In this case, a physical token such as a Yubikey may be a good way to store secrets - inaccessible even if you manage to infect computer or phone.

It's also worth noting that many services, such as Microsoft, is moving to mutual authentication where details of the login is transmitted from the login environment to the phone app. This is probably better than apps that simply show rolling codes on the phone - but at the cost of no standard so far, so one app per vendor.

As always: security is a trade-off. Offline TOTP is a lot better than SMS. Offline TOTP stored in a secure environment (such as Yubikey) is better than Offline TOTP stored in software on a computer.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
0

It really depends on what you're protecting against.

For websites, the gold standard is WebAuthn or FIDO2 because those provide protection from phishing. In those situations, the web browser reports the actual site, not just the site you think you're on, to the security key and as such, it makes phishing nearly impossible. Because the operation involves a secure digital signature, it is computationally infeasible to forge.

However, TOTP is a major improvement over SMS based authentication because it is generally much more difficult to intercept and changes constantly unlike a password, even though it is vulnerable to phishing if the attacker logs in to your account right away. I personally use it as a backup solution to my YubiKey in case the YubiKey gets lost.

As vidario notes, there are a variety of proprietary solutions from companies like Duo and Microsoft that send login requests to a phone. However, these are also subject to phishing in the same ways as TOTP, and nobody wants to install a bunch of different apps on their phone for every random website, so these are usefully limited to corporate environments only.

So if your concern is protecting against weak passwords or random guessing, then any form of 2FA is likely to be good enough. If you want to protect against attackers who are actively trying to compromise high value targets, SMS should be avoided and at least TOTP, if not also WebAuthn, should be deployed.

My personal recommendation for websites deploying 2FA is to deploy WebAuthn and TOTP. These are the best possible options and are open standards, they support the widest variety of devices, and they also avoid the inconvenience of sending SMS across different countries (which I can tell you from personal experience breaks often when you have a foreign phone number). For sites that do offer SMS 2FA, I recommend providing the ability to turn it off, so folks who are at high risk or who are concerned about security don't have to worry about it as a threat model.

bk2204
  • 7,828
  • 16
  • 15