Exactly. If the adversary has a camera pointed at your keyboard, they can even possibly attempt the more radical (and indefensible) “I literally recorded what you typed” attack. Scary stuff.
I think the argument here is that, since it can happen 30s later, you could enter your password, look at the screen, lock your screen & walk away, without being safe. Imagine a location where the mobo itself is secure enough to prevent anyone from quickly inserting something, but anyone could have quick access to the keyboard & monitor.
In that (highly contrived) situation, this attack is useful, since all you'd need is a quick thermal pic, no longer recording needed.
It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.
In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.
Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.
> but also because otherwise the user could be locked out for 60s.
I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.
>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)
An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.
RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).
Physical access is often considered total access in the infosec community.
It implies the ability to, with enough prep time ahead of the actual physical access, inject malware through a physical interface (USB flash drive, rogue peripheral/HID, directly interfacing with an existing HID device), among others.
Edit: and in this case it includes planting cameras and other recording devices which can be assumed to have effectively limitless video/audio resolution.
It implies using your laptop in public, or typing in a keypad. And keypads tend to be used to separate public and private areas (and even worse, people leave the scene immediately after using it, making the attack even more inconspicuous).
One can easily attach a long tele lens to one of these cameras, so one could capture passwords through windows. Specialized IR lenses are expensive, but regular lenses can do a good enough job.
Edit: my bad IR doesn't go through most glass material. Still, laptops are commonly used in public, and through lenses or otherwise, your password can be leaked. That's worrying enough to stop the "physical access means total access" adagio in this thread.
Good IR tele lenses are not just expensive, the don't even have prices, they have "phone numbers".
So you would have to get money from really a lot of people just to pay they IR camera and the lenses.