Hacker News new | ask | show | jobs
by ACCount37 147 days ago
TOTP is the "good enough" 2FA.

If I managed to intercept a login, a password and a TOTP key from a login session, I can't use them to log in. Simply because TOTP expires too quickly.

That's the attack surface TOTP covers - it makes stealing credentials slightly less trivial by making one of the credentials ephemeral.
1 comments
alphager 147 days ago
The 30 seconds (+30-60 seconds to account for clock drift) are long enough to exploit.

TOTP is primarily a defense against password reuse (3rd party site gets popped and leaks passwords, thanks to TOTP my site isn't overrun by adversaries) and password stuffing attacks.

link
vel0city 147 days ago
In every system I've worked on recent successful TOTPs have been cached as well to validate they're not used more than once.
link
vel0city 146 days ago
In fact, re-reading RFC 6238 it states:

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.
https://datatracker.ietf.org/doc/html/rfc6238

Assuming your adversary isn't actually directly impersonating you but simply gets the result from the successful attempt a few seconds later, the OTP should be invalid, being a one time password and all.

link