Comment by ACCount37

1 month ago

TOTP is the "good enough" 2FA.

If I managed to intercept a login, a password and a TOTP key from a login session, I can't use them to log in. Simply because TOTP expires too quickly.

That's the attack surface TOTP covers - it makes stealing credentials slightly less trivial by making one of the credentials ephemeral.

3 comments

ACCount37

alphager 1 month ago

The 30 seconds (+30-60 seconds to account for clock drift) are long enough to exploit.

TOTP is primarily a defense against password reuse (3rd party site gets popped and leaks passwords, thanks to TOTP my site isn't overrun by adversaries) and password stuffing attacks.

vel0city 1 month ago
In every system I've worked on recent successful TOTPs have been cached as well to validate they're not used more than once.
- vel0city 1 month ago
  
  In fact, re-reading RFC 6238 it states:
  Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
  https://datatracker.ietf.org/doc/html/rfc6238
  Assuming your adversary isn't actually directly impersonating you but simply gets the result from the successful attempt a few seconds later, the OTP should be invalid, being a one time password and all.