Hacker News new | ask | show | jobs
by will4274 2590 days ago
How many people can recite their SSH key? Surely an SSH key is "something you have".
1 comments
wnevets 2590 days ago
Having two different static passwords on an account isn't actually two different factors, whether you can recite them or not.

The fact that one time passwords expire and change is what makes them a different factor than a static password.

link
thaumasiotes 2589 days ago
> The fact that one time passwords expire and change is what makes them a different factor than a static password.

If you're getting your 2FA code by SMS message or the like, this can be true.

If you're using TOTP (e.g. Google Authenticator), that's just as static as your other passwords. The TOTP code never expires nor changes. What changes is the code you're supposed to send over the wire.

link
theamk 2589 days ago
Eh? TOTP usually expire in 60 seconds, so in most cases even if you accidentally leak it, it will be safe.

(and you are not likely to leak it anyway -- with something that changes that often, you are not going to have an incentive to write it to files)

link
thaumasiotes 2589 days ago
A 60-second TOTP code is a fully deterministic function of a permanent, unchangeable secret. That's why you and the server can agree on what the code should be without needing to communicate beyond setting up the code originally.

This makes it identical to a password from a theoretical perspective. There's really no difference between a TOTP secret that you keep in a TOTP app and haven't memorized, and a password you keep in your password manager and also haven't memorized. Both are "something you know", and nothing else.

You're correct that leaking a temporary code from a single login attempt doesn't compromise the TOTP secret. That is an artifact of the login process, not of whether the mechanism is labeled "2FA" or "password". You can do the same thing while calling the secret a password: https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...

link
theamk 2589 days ago
I disagree, I believe TOTP belongs firmly in the "something you have" category. You cannot memorize TOTP password, nor you can store in your password manager. You also cannot pass that knowledge to another person. So this is more like a public key than a password.

Ultimately, everything is "permanent, unchangeable secret", including private key and biometric data. Where the data is stored and how is it accessed makes all the difference.

I could not find the original definition of "something you have", but modern standards like PCI actually give OTP auth as an example of "something you have" (p. 4 of [1])

(I am not looking at the degenerate case of running TOTP app on the same device / same security domain -- it does not describe most cases, and there are some fairly straightforward technical measures to defeat this)

[1] https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...

link
thaumasiotes 2588 days ago
> You cannot memorize TOTP password, nor you can store in your password manager. You also cannot pass that knowledge to another person.

But none of these things are true. For example, my most recent job involved sharing a 2FA-protected online account. We all had the code.

link
michaelmior 2588 days ago
> nor you can store in your password manager

Some 2FA apps also allow you to back up your codes to a cloud service.

link