Comment by crote

6 hours ago

What makes this 2FA? It's "something you know, plus mental labor", which makes it a password.

2FA is "something you have" (or ".. you are", for biometrics): it is supposed to prove that you currently physically posses the single copy of a token. The textbook example is a TOTP stored in a Yubikey.

Granted, this has been watered down a lot by the way-too-common practice of storing TOTP secrets in password managers, but that's how it is supposed to work.

Does your mTOTP prove you own the single copy? No, you could trivially tell someone else the secret key. Does it prove that you currently own it? No, you can pre-calculate a verification token for future use.

I still think it is a very neat idea on paper, but I'm not quite seeing the added value. The obvious next step is to do all the math in client-side code and just have the user enter the secret - doing this kind of mental math every time you log in is something only the most hardcore nerds get excited about.

24 comments

crote

Reply
fxj  6 hours ago

TOTP is also just password + some computation. So where is the difference? There is a lot of security theatre around TOTP with the QR code and then need of an app but you can write a 8 liner in python that does the same when you extract the password out of the QR code.

   import base64
   import hmac
   import struct
   import time

   def totp(key, time_step=30, digits=6, digest='sha1'):
        key = base64.b32decode(key.upper() + '=' \* ((8 - len(key)) % 8))
        counter = struct.pack('>Q', int(time.time() / time_step))
        mac = hmac.new(key, counter, digest).digest()
        offset = mac[-1] & 0x0f
        binary = struct.unpack('>L', mac[offset:offset+4])[0] & 0x7fffffff
        return str(binary)[-digits:].zfill(digits)

https://dev.to/yusadolat/understanding-totp-what-really-happ...

  • crote  5 hours ago

    You are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.

    As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.

  • elderlybanana  4 hours ago

    Yes, TOTP is a secret + computation, and generating it is trivial once you have the secret. The security difference is that the TOTP secret is separate from the user’s password and the output is short-lived. Each of the two factors address different threat models.

ulrikrasmussen  6 hours ago

In practice most TOTP implementation also do not prove that you have a device which is the sole owner of the secret. Except for proprietary app-based solutions the usual protocol is to display a QR code which just encodes the secret in plain text.

As long as you never enter the secret anywhere but only do the computation is your head, this is just using your brain as the second factor. I would not call this a password since it is not used in the same way. Passwords are entered in plain text into fields that you trust, but that also means that passwords can be stolen. This proves that you are in possession of your brain.

  • swiftcoder  5 hours ago

    > Passwords are entered in plain text into fields that you trust, but that also means that passwords can be stolen

    The only difference here is that you are hashing the password in your head, instead of trusting the client to hash it for you before submitting it to the server.

    Which makes the threat model here what, exactly? Keyloggers, or login pages that use outdated/insecure methods to authenticate with the server?

    • ulrikrasmussen  5 hours ago

      Yes, but also plain guessing since passwords are usually chosen by the user and not generated by the server like TOTP secrets. Also phishing attacks tricking users into entering their passwords in fake login pages, and stolen password databases.

      1 reply →

brna-2  6 hours ago

Time based skew makes it a changeable second factor, additional changeable pass makes it the second factor, Also - if the first factor is a password manager or ssh key - this is the second factor.

The idea of it was so neat to me, I just had to thinker with it.

josephg  5 hours ago

> 2FA is "something you have" (or ".. you are", for biometrics): it is supposed to prove that you currently physically posses the single copy of a token. The textbook example is a TOTP stored in a Yubikey.

No, 2FA means authentication using 2 factors of the following 3 factors:

- What you know (eg password)

- What you have (eg physical token)

- What you are (eg biometrics)

You can "be the 2FA" without a token by combining a password (what you know) and biometrics (what you are). Eg, fingerprint reader + password, where you need both to login.

  • crote  5 hours ago

    Of course, but in most applications the use of a password is a given, so in day-to-day use "2FA" had come to mean "the other auth method, besides your password".

    Combine that with the practical problems with biometrics when trying to auth to a remote system, and in practice that second factor is more often than not "something you have". And biometrics is usually more of a three-factor system, with the device you enrolled your fingerprints on being an essential part of the equation.

rcxdude  6 hours ago

The single copy part would be a lot more common if it was widely supported to have multiple tokens registered to an account.

And the main point (though I agree that it doesn't make it 2FA), is to not have the secret be disclosed when you prove that you have it, which is what TOTP also achieves, which makes phishing or sniffing it significantly less valuable.

  • fc417fc802  5 hours ago

    I guess it's a spectrum. At one extreme is the most physically resistant hardware token in existence. On the other end is a password transmitted in plaintext.

    An ssh keyfile requires an attacker to break into the device but is likely fairly easy to snag with only user level access.

    Bypassing a password manager that handles TOTP calculations or your ssh key or similar likely requires gaining root and even then could be fairly tricky depending on the precise configuration and implementation. That should generally be sufficient to necessitate knowledge of the master password plus device theft by an insufficiently sophisticated attacker.

    Given TOTP or an ssh key managed exclusively by a hardware token it will be all but impossible for anyone to avoid device theft. Still, even TPMs have occasionally had zero day vulnerabilities exposed.

  • crote  5 hours ago

    Are there any mainstream websites which only allow a single TOTP token to be enrolled? I can't remember having ever run into that issue. I do recall it occasionally being an issue with Passkeys, though.

    The non-disclosure is indeed neat, but the same can be achieved with a password. For example: generate public/private keypair on account creation. Encrypt private key with user password. Store both on server. On auth, client downloads encrypted priv key, decrypts it with user-entered password, then signs nonce and provides it to server as proof of knowledge of user password.

    • fc417fc802  5 hours ago

      You don't need to involve a private key there. Modern password authentication algorithms never reveal the bare secret (outside of initial registration ofc). For example, PAKE uses Diffie-Hellman coupled with the (salted) password hash to independently derive the same session key on both sides of the connection.

      AFAIK the primary technical concerns are insecure storage by the server (bad hash or salt) or keylogging of the client device. But the real issue is the human factor - ie phishing. As long as the shared secret can't be phished it solves the vast majority of real world problems.

      Point being, TOTP on a rooted phone handled by a FOSS password manager app whose secret store the end user retains full access to will successfully prevent the vast majority of real world attacks. You probably shouldn't use a FOSS password manager on a rooted device for your self hosted crypto wallet though.

      1 reply →

    • rcxdude  4 hours ago

      I would say the majority of services I have TOTP set up for only support one token at a time. It's only the bigger, techier services that have support for multiple.

madeofpalk  5 hours ago

I don't think OP claimed it adds value.

> It explores the limits of time-based authentication under strict human constraints and makes no claims of cryptographic equivalence to standard TOTP.

I think they're just having fun.

PunchyHamster  5 hours ago

misunderstanding of 2FA annoys me.

Like, banking site requiring phone's 2FA (whether actual or SMS), okay, you have to know password and access to the device or at least a SIM card so 2 things need to be compromised. Computer vulnerable, no problem, phone vulerable, no problem, both need to be vulnerable to defeat it

...then someone decided to put banking on the second factor and now phone has both password and token (or access to SMS) to make a transaction, so whole system is one exploit away from defeat.