Hacker News new | ask | show | jobs
by microtonal 4003 days ago
What kind of two factor authentication? TOTP codes don't protect you against e.g. phishing. A MITM can request codes and forward them (since they are time-based).

Get a U2F key. They work with Google accounts and provide much better protection against phishing (the phishing site does not have the key handle and cannot initiate the challenge-response as a result):

https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...
2 comments
nadams 4003 days ago
> What kind of two factor authentication? TOTP codes don't protect you against e.g. phishing.

Sure it does. TOTP codes are only good for X seconds and most phishing scammers merely collect the information to use much later (I have seen the source behind the actual phishing sites).

I have yet to hear of a story of someone's account being compromised while using TOTP (knock on wood).

But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP. So I would wager that TOTP is pretty safe to use.

link
microtonal 4003 days ago
Sure it does. TOTP codes are only good for X seconds

Not seconds, usually a minute:

https://tools.ietf.org/html/rfc6238#page-6

(This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.)

and most phishing scammers merely collect the information to use much later

Right. It's probably still profitable to do things in this manner because most people do not use any second factor. That does not change the fact that TOTP is extremely vulnerable to phishing. Most people here could probably a code that does this live in an hour or so.

But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP.

Yes, because TOTP adds good security against other attacks, such as password leaks, since every site has its own shared secret.

link
nadams 4003 days ago
> Not seconds, usually a minute:

Almost every service I use is 30 seconds - including Google's [1]. Even in the RFC you linked it says 30 seconds.

> This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.

That is the downside of TOTP. If your clock isn't in sync with the server's then you may never have a valid OTP. However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid. I didn't do that for my source code hosting service - but it makes sense in case the user hit enter right after the 30 second window. I suppose HOTP is supposed to solve the timing problem.

> That does not change the fact that TOTP is extremely vulnerable to phishing.

This doesn't make sense - TOTP isn't any more vulnerable than the password itself. You still need my password. And even if you phished that - by the time you would attempt to access my account the TOTP would be invalid. The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.

[1] - https://github.com/google/google-authenticator/wiki

link
microtonal 4002 days ago
However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid.

Hence one minute. This is also why I referred to the RFC.

The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.

Why? It's no problem to make a phishing site that requests the password and the TOTP code and uses these credentials immediately.

link
artursapek 4003 days ago
I love my Yubikey! I use it with all my Google accounts.
link
salibhai 4003 days ago
Any benefit to Yubikey over Authenticator? EDIT: good points here: https://bitcointalk.org/index.php?topic=159444.0
link
microtonal 4003 days ago
This is old. They old Yubikeys with HOTP provided some advantages over authenticator, but new Yubikeys provide U2F which is much more resilient against phishing attacks.

https://www.yubico.com/applications/fido/

Moreover, U2F does not present itself as a USB keyboard (which had security implications on X11, since every application can listen in on keyboard events.)

link
rogeryu 4003 days ago
So what happens when you lose that?
link
microtonal 4003 days ago
You can associate multiple U2F keys with one Google account. Buy two, put one in a safe. They only cost ~15 Euro a pop.
link