Hacker News new | ask | show | jobs
by d-z-m 762 days ago
Do you protect against bruteforcing the TOTP code? I.e. via rate-limiting or a set amount of retries? I took a quick glance at the code and couldn't find anything to this effect.

The scenario I'm imagining is: someone opens the TOTP entry UI in their browser, opens devtools, and starts to loop through all possible TOTP codes.
3 comments
Nullence 761 days ago
Yep! I do indeed have protections against bruteforcing TOTP codes, effectively each authentication has a number of "attempts" a user can make before their account gets locked, and an admin is then required to unlock it.

Specifically to force people to have a bit of a think as to why their device is trying to force auth to begin with, as it indicates an endpoint compromise.

link
8organicbits 762 days ago
I think thats here:

https://github.com/NHAS/wag/blob/cdbdbec3393fa86bf6c823117c8...

link
Avicebron 762 days ago
I can't speak to the specifics of this particular implementation but usually if someone has the login (username + password) to get to totp that user has already been compromised..
link
asimops 762 days ago
But MFA is there to prevent this compromise from affecting the service and alert users/admins to the compromise, right?

If you have username and password and are able to force the TOTP in the 60s window, the TOTP would be useless imho.

link
yonatan8070 762 days ago
If a user keeps their credentials in a notebook and it got stolen, the TOTP check can be the difference between the attacker getting in, and the user being notified and changing their password
link
yardstick 762 days ago
Unfortunately these days it’s even easier with password managers containing all three (user, pass, token)
link
ThePowerOfFuet 762 days ago
The difference being the notebook is paper and easily read, while the password manager is... quite a bit harder.
link
yonatan8070 761 days ago
I want to believe users who use a password manager are also technically literate enough to secure it properly
link
Avicebron 761 days ago
Me too, but my day job means I handle a bit of secops, password managers are rolled out as security tools to users operating in enterprises where things like mandating people don't keep their passwords on a sticky note on their monitor is usually step one...
link
Nullence 761 days ago
Oh wag doesnt use username and password auth by default. Those are only available in the OIDC integration or if you use PAM auth.
link