0

I was signing up for an app for a credit card I have and I encountered an SMS 2FA format I had never seen before. The code was 47⅗ - that is two digits then capital Phi then the fraction three-fifths. To input there were on-screen buttons, 0 to 9 then 10 assorted Unicode letters and icons.

A previous SMS 2FA from the same app was a standard 6-digit TOTP, so does anyone have an explanation as to what kind of attack they were trying to mitigate?

Ken Y-N
  • 101
  • 4

1 Answers1

0

Based on the way you presented this, it's not a Time-based One Time Password (TOTP)which would use a token or application but sounds like a One Time Password (OTP).

Without any additional details I'd posit that they are increasing the OTP entropy without increasing the size of the password. For an OTP of six characters using ten possible choices (0-9) there are 10^6 possibilities or 1,000,000. By increasing this to twenty possibilities (0-9 and ten unicode characters) it increases the possible combinations to 20^6 or 64,000,000 combinations.

The OTP entropy (log2(R^L)increases from about 20 to about 26. The increase is about the same as if you increased the OTP from six to eight characters and kept the choices (0-9) the same. This isn't a significant enough change in entropy to have much of a preventative effect if you could brute force the OTP.

kenlukas
  • 835
  • 6
  • 18
  • 1
    They used only 4 characters giving 20^4 combinations, 17 bits of entropy which is less than the entropy of 6 normal digits. My guess: this is just security theatre, trying to look more secure at the expense of usability. – Jeff Jun 22 '22 at 19:03
  • @Jeff I completely misread that. If there's no more information I'll delete the answer. I agree it sounds like security theatre. – kenlukas Jun 22 '22 at 19:19