Hacker News new | ask | show | jobs
by stevekemp 2898 days ago
It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.
2 comments
leni536 2898 days ago
Allowing adjacent codes and accepting the same code twice is not the same. I would be surprised if TOTP allowed for accepting the same code twice.
link
e12e 2898 days ago
I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.

In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.

link
angry_octet 2896 days ago
Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.
link
leni536 2896 days ago
> but also because otherwise the user could be locked out for 60s.

I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.

link
_verandaguy 2898 days ago
>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.

RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).

link