[fxj]

TOTP is also just password + some computation. So where is the difference? There is a lot of security theatre around TOTP with the QR code and then need of an app but you can write a 8 liner in python that does the same when you extract the password out of the QR code.

   import base64
   import hmac
   import struct
   import time

   def totp(key, time_step=30, digits=6, digest='sha1'):
        key = base64.b32decode(key.upper() + '=' \* ((8 - len(key)) % 8))
        counter = struct.pack('>Q', int(time.time() / time_step))
        mac = hmac.new(key, counter, digest).digest()
        offset = mac[-1] & 0x0f
        binary = struct.unpack('>L', mac[offset:offset+4])[0] & 0x7fffffff
        return str(binary)[-digits:].zfill(digits)

https://dev.to/yusadolat/understanding-totp-what-really-happ...

[elderlybanana]

Yes, TOTP is a secret + computation, and generating it is trivial once you have the secret. The security difference is that the TOTP secret is separate from the user’s password and the output is short-lived. Each of the two factors address different threat models.

[crote]

You are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.

As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.

[gruez]

>You are supposed to store the password in a Secure Enclave,

That's at best a retcon, given given that the RFC was first published in 2008

>You are also supposed to immediately destroy the QR code after importing it.

Most TOTP apps support backups/restores, which defeats this.

[craftkiller]

> That's at best a retcon, given given that the RFC was first published in 2008

How so? Apple didn't invent the idea of a secure enclave. Here is a photo of one such device, similar to one I was issued for work back in ~2011: https://webobjects2.cdw.com/is/image/CDW/1732119

No option to get the secret key out. All you can get out is the final TOTP codes. If anything, having an end-user-programmable "secure enclave" is the only thing that has changed.

I think they probably meant "Secure Enclave" in the same way that people say "band-aid" instead of "adhesive bandage", "velcro" instead of "hook and loop fastener", and "yubikey" instead of "hardware security token".

[aja12]

>Most TOTP apps support backups/restores, which defeats this.

Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

[Rubberducky1324]

> Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

Google Authenticator has an export option that I've used in the past, so that one does it for sure. Authy allows cloud-based synchronization in any case, so exporting seems quite possible. MS Authenticator also allow cloud sync, so probably exporting is not difficult.

[aja12]

> cloud-based synchronization

Well I don't disagree that it might be possible to abuse cloud sync in some way to export the secrets, but it's not quite as egregious as just including the secrets by default in an app backup

Not perfect, but (imho) still better than SMS 2FA, mail 2FA, or lack of 2FA

[alt227]

IMO if it is possible to use a system wrongly which undermines its security, it is already broken.

[TeMPOraL]

On the contrary - perfect security is only possible if your system is an inert rock. Or not even then, as the users could still use the rock "wrong" by beating security maximalists over their heads with it.

Also honestly TIL that TOTP are somehow supposed to also enforce a single copy of the backing token being in existence. That's not just bad UX, that feels closer to security overreach.

People in tech, especially software and security folks, tend to miss the fact that most websites with 2FA already put a heavier security burden on their users than anything else in real life. There's generally no other situation in peoples' lives that would require you to safely store for years a document that cannot be recovered or replaced when destroyed[0]. 2FA backup codes have much stricter security standard than any government ID!

And then security people are surprised there's so much pushback on passkeys.

--

[0] - The problem really manifest when you add lack of any kind of customer support willing to or capable of resolving account access issues.

[lmz]

This is how we get sites that block software tokens and only allow a whitelist of hardware based tokens.

[otabdeveloper4]

You mean "hardware based token", because of course we only know of only one brand and specific make.

[lazide]

There is no system which cannot be used wrongly in a way which undermines it’s security.

[alt227]

OP:

> the fact that people often use it wrong undermines its security

[lazide]

Yes, that is what I am replying too.

That applies to everything.

[alt227]

Fair enough, I agree.

[Jean-Papoulos]

I can chuck a brick at your head. Clearly the brick is broken

[alt227]

Breaks are meant to be built with, not thrown at heads.

If you build with the brick properly you will have a great wall, if you dont then it will fall down. Pretty simple.

[dpoloncsak]

Pass-The-Hash attacks exist and the only real countermeasure is to never log into user machines with privileged credentials

[aja12]

Actually, the real countermeasure to PTH is to disable NTLM auth and rely only on Kerberos (and then monitor NTLM as a very strong indicator that someone or something is attempting PTH)

Of course kerberos tickets can be abused too in a lot of fun ways, but on a modern network PTH is pretty much dead and a surefire way to raise a lot of alerts

(You are absolutely right that privileged accounts must never login on less privileged assets, however!)

[dpoloncsak]

Yeah...we just went through this process over here. I was more just making the point that "If its possible to use a system wrongly which undermines its security, it is already broken" isn't always true. I guess you could argue its NTLM there thats 'already broken', but the idea was more "SysAdmins are sometimes given red buttons to never press under any circumstances."

[justincormack]

I mean, TOTP is one of the earliest 2 factor systems, and works least well.

[Ferret7446]

Exactly, which is why TOTP is "weak". "Real" 2FA like FIDO on a security key makes it much harder.

[ACCount37]

TOTP is the "good enough" 2FA.

If I managed to intercept a login, a password and a TOTP key from a login session, I can't use them to log in. Simply because TOTP expires too quickly.

That's the attack surface TOTP covers - it makes stealing credentials slightly less trivial by making one of the credentials ephemeral.

[alphager]

The 30 seconds (+30-60 seconds to account for clock drift) are long enough to exploit.

TOTP is primarily a defense against password reuse (3rd party site gets popped and leaks passwords, thanks to TOTP my site isn't overrun by adversaries) and password stuffing attacks.

[vel0city]

In every system I've worked on recent successful TOTPs have been cached as well to validate they're not used more than once.

[vel0city]

In fact, re-reading RFC 6238 it states:

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.

https://datatracker.ietf.org/doc/html/rfc6238

Assuming your adversary isn't actually directly impersonating you but simply gets the result from the successful attempt a few seconds later, the OTP should be invalid, being a one time password and all.

[susam]

Original source of the 8 liner Python code: https://github.com/susam/mintotp/blob/main/mintotp.py

[az09mugen]

Thanks for the link on TOTP and the associated code !