undefined | Better HN

0 pointsjjnoakes7y ago0 comments

TOTP has a downside when compared to SMS as well.

In cases where server security was breached and databases (or database backups or dumps) were accessed, if the TOTP seeds were part of the database (not sure how likely that is, but I'm guessing it's likely), then TOTP is doing nothing for security.

TOTP protects against things like credential stuffing and weak passwords, and is safer than SMS (no hijacking/intercepting), but for database security breaches things aren't so cut and dry.

I wonder if there should be a TOTP-like app which you still register with a site when you first log in or create your account, and which codes are sent to when new logins are needed, but which uses a more secure communication channel than SMS. This gives you the best of both worlds, no? One-time codes not generated from a single plain text seed, communicated to a known client over a secure channel, to prove the initial user is still in possession of the known client?

0 pointsjjnoakes7y ago0 comments

TOTP has a downside when compared to SMS as well.

TOTP protects against things like credential stuffing and weak passwords, and is safer than SMS (no hijacking/intercepting), but for database security breaches things aren't so cut and dry.

0 comments

5 comments · 2 top-level

tptacek7y ago· 2 in thread

The distinction you're drawing here isn't meaningful. Outside of securing an application's database, a TOTP key has no value anyways. If you have a persistent attacker who quietly owns your database, no 2FA is doing anything for you; the attacker can log in whenever they want anyways. Once the database is compromised, you invalidate all the TOTP secrets, and they become worthless.

jjnoakesOP7y ago

If you know of the database compromise, sure.

If your database contents are exposed (or a dump or backup is exposed) unbeknownst to you, those TOTP secrets won't be invalidated, and attackers which get their hands on that have more than they'd have if some other second factor method was in use which didn't rely solely on a long-term shared secret.

And since database exposures can go back a long way (like this one), and TOTP secrets aren't normally rotated over time, then this difference in second factor methods seems interesting.

tptacek7y ago

If you don't know of the database compromise, the technical term for the steady state you are operating in is "owned". 2FA isn't doing anything for you.

1 more reply

vel0city7y ago· 1 in thread

A standard called SQRL is similar to many of the concepts of U2F and can be done with an app scanning a QR code.

https://www.grc.com/sqrl/sqrl.htm

jjnoakesOP7y ago

Looks like SQRL is aiming higher than just 2FA, they try to be the entire login process. Thanks for the link, but not sure it's quite what I'm looking for.

j / k navigate · click thread line to collapse