undefined | Better HN

0 pointspeterwwillis7y ago0 comments

You don't even need those. TOTP is perfectly acceptable. It's simple, it's offline, it's free. It's a weekend project. Two functions and an extra column in a database. No hacking on clients, no implementing protocols, no buying hardware.

Implementing TOTP: https://www.serverstack.com/blog/2013/02/21/implementing-tot...

My opinion is hardware tokens are a joke for average user security. If I can't even keep my phone around to use TOTP, I'm sure as hell not going to keep track of my U2F token.

0 comments

4 comments · 2 top-level

tptacek7y ago· 2 in thread

U2F is superior to TOTP because it's much harder to phish, and phishing is one of the two most serious attack vectors most teams face (the other being email attachments). Everyone that does U2F seriously also does TOTP, and doing both is the best option.

But yes, TOTP is a good start; the minimum that every serious team should have for its own personnel now.

peterwwillisOP7y ago

U2F is pretty cool, but it's also a bit over-complicated. Specifically, I don't think we need USB or NFC.

A client (or an extension) could generate a QR code which embeds a signed request from the server (SRS) along with a signed request from the client using a key it generates just for this server (CRS). The user scans this QR, the user's phone app recognizes the SRS+CRS, and spits out a token or QR.

The phisher might be able to mitm the SRS, but they can't know what the CRS is, so they can't generate a fake QR that will validate on the client app. So with no special hardware, we generate a one-time token that [as long as they can't mess with browser window pop-ups or some other nonsense] can't be phished. (I'm excluding malware because we all know it's game over by that point)

tptacek7y ago

Or we can just implement U2F, which was designed specifically based on experiences people had with TOTP phishing. There are software U2F tokens if you nerd-fussy about this stuff.

Alex39177y ago

> If I can't even keep my phone around to use TOTP, I'm sure as hell not going to keep track of my U2F token.

You effectively can't implement U2F without TOTP, because otherwise when people lose their U2F dongle they'll be locked out of the site. For any given site you should turn on TOTP before activating U2F, but then store the TOTP secret somewhere secure and don't actually use it.

j / k navigate · click thread line to collapse