[crote]

You are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.

As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.

[gruez]

>You are supposed to store the password in a Secure Enclave,

That's at best a retcon, given given that the RFC was first published in 2008

>You are also supposed to immediately destroy the QR code after importing it.

Most TOTP apps support backups/restores, which defeats this.

[craftkiller]

> That's at best a retcon, given given that the RFC was first published in 2008

How so? Apple didn't invent the idea of a secure enclave. Here is a photo of one such device, similar to one I was issued for work back in ~2011: https://webobjects2.cdw.com/is/image/CDW/1732119

No option to get the secret key out. All you can get out is the final TOTP codes. If anything, having an end-user-programmable "secure enclave" is the only thing that has changed.

I think they probably meant "Secure Enclave" in the same way that people say "band-aid" instead of "adhesive bandage", "velcro" instead of "hook and loop fastener", and "yubikey" instead of "hardware security token".

[aja12]

>Most TOTP apps support backups/restores, which defeats this.

Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

[Rubberducky1324]

> Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups

Google Authenticator has an export option that I've used in the past, so that one does it for sure. Authy allows cloud-based synchronization in any case, so exporting seems quite possible. MS Authenticator also allow cloud sync, so probably exporting is not difficult.

[aja12]

> cloud-based synchronization

Well I don't disagree that it might be possible to abuse cloud sync in some way to export the secrets, but it's not quite as egregious as just including the secrets by default in an app backup

Not perfect, but (imho) still better than SMS 2FA, mail 2FA, or lack of 2FA

[alt227]

IMO if it is possible to use a system wrongly which undermines its security, it is already broken.

[TeMPOraL]

On the contrary - perfect security is only possible if your system is an inert rock. Or not even then, as the users could still use the rock "wrong" by beating security maximalists over their heads with it.

Also honestly TIL that TOTP are somehow supposed to also enforce a single copy of the backing token being in existence. That's not just bad UX, that feels closer to security overreach.

People in tech, especially software and security folks, tend to miss the fact that most websites with 2FA already put a heavier security burden on their users than anything else in real life. There's generally no other situation in peoples' lives that would require you to safely store for years a document that cannot be recovered or replaced when destroyed[0]. 2FA backup codes have much stricter security standard than any government ID!

And then security people are surprised there's so much pushback on passkeys.

--

[0] - The problem really manifest when you add lack of any kind of customer support willing to or capable of resolving account access issues.

[lmz]

This is how we get sites that block software tokens and only allow a whitelist of hardware based tokens.

[otabdeveloper4]

You mean "hardware based token", because of course we only know of only one brand and specific make.

[lazide]

There is no system which cannot be used wrongly in a way which undermines it’s security.

[alt227]

OP:

> the fact that people often use it wrong undermines its security

[lazide]

Yes, that is what I am replying too.

That applies to everything.

[alt227]

Fair enough, I agree.

[Jean-Papoulos]

I can chuck a brick at your head. Clearly the brick is broken

[alt227]

Breaks are meant to be built with, not thrown at heads.

If you build with the brick properly you will have a great wall, if you dont then it will fall down. Pretty simple.

[dpoloncsak]

Pass-The-Hash attacks exist and the only real countermeasure is to never log into user machines with privileged credentials

[aja12]

Actually, the real countermeasure to PTH is to disable NTLM auth and rely only on Kerberos (and then monitor NTLM as a very strong indicator that someone or something is attempting PTH)

Of course kerberos tickets can be abused too in a lot of fun ways, but on a modern network PTH is pretty much dead and a surefire way to raise a lot of alerts

(You are absolutely right that privileged accounts must never login on less privileged assets, however!)

[dpoloncsak]

Yeah...we just went through this process over here. I was more just making the point that "If its possible to use a system wrongly which undermines its security, it is already broken" isn't always true. I guess you could argue its NTLM there thats 'already broken', but the idea was more "SysAdmins are sometimes given red buttons to never press under any circumstances."

[justincormack]

I mean, TOTP is one of the earliest 2 factor systems, and works least well.