Weeeeeelll...
I'm familiar with two (2) common kinds of "2FA" implementations. TOTP and SMS.
Of those two, only SMS is actually a second factor, albeit not a particularly secure one. TOTP is fundamentally a password, and two passwords are no different than one password.
I see this view a lot. It's wrong. TOTP is fundamentally different to a password, as the stored "password" (by which I presume you mean the key) is never transmitted anywhere.
TOTP in fact has one property that makes it potentially* the most secure of all 2FA methods: it can be used airgapped. As the credential you type into the 2FA form is not the saved secret.
* I say "potentially" because the relative inconvenience + human factors conspire to make it less secure than e.g. U2F in most cases. But assuming hypothetical perfect conditions, there would be nothing more secure than TOTP for 2FA.
You’d need to type a nonce into the dongle, then type the result into your computer.
TOTP is just a password. Also, in practice, the server has to have non-air-gappped access to a TOTP generator, so it’s not really air gapped at all.
Read up on the great RSA key fob recall for an example of TOTP-style auth gone horribly wrong.
> You’d need to type a nonce into the dongle, then type the result into your computer.
That would be a cool augmentation of digest auth, but afaik is hypothetical currently (at least as far as common use goes). I can use TOTP airgapped right now.
> in practice, the server has to have non-air-gappped access to a TOTP generator
This is a fair point, but requiring full server compromise is still a nice step up from being mitm-able.
> so it’s not really air gapped at all
That seems like a rather extreme conclusion to draw. Client-side only air gapping is still airgapping, the fact it doesn't extend to protection from server compromise doesn't completely invalidate the benefits.
Are you familiar with SRP?
TOTP has all of the properties of passwords, and no properties that passwords don't have. That makes it... a password.
I would say SRP is strictly a misnomer (though it's a useful conflation). Generally speaking password is a value provided for authentication (if it's no longer being "provided", as in SRP, it's something different... but I understand using a familiar word for that something different is helpful when communicating).
Either way, in saying TOTP was "just a password", the point you were trying to make was that TOTP is "no different than and therefore no better than a 2nd traditional password". The fact it's not transmitted makes it very different to, and better than, a traditional password. So whatever you want to define the definition as, the point stands.
> and no properties that passwords don't have
It has 1 property that passwords don't have: it is not transmitted!
TOTP is a password. The fact that it is a password doesn't matter though since it is something you have (and can't know) which augments the something you know. This satisfies the intent of MFA.
Slight detail that’s of course completely irrelevant.
You realize that, out of the many comments I've made in this tree, the one you responded to was the one that said
> Are you familiar with SRP?
There are more ways of compromising someone's information than capturing it in transit. If you give me your phone, I can read your TOTP seeds straight out of Google Authenticator.
The "Password" named in "Time-based One Time Password" is the temporary generated value you transmit. It's not what's stored on the TOTP device, so in the context of this discussion, that temp value isn't what the gp was referring to.
Careful; "one-time password" is in the name, and it certainly isn't that. Your TOTP seed stays valid forever.
After the security backlash they now backpedaled and implemented 2FA with ONLY apps. Apps that ONLY work on iOS and Google Android. I had endless calls from family where they couldn't access their banks anymore because they had a Huawei phone or a dumb phone. Banks are citing "security" as explanation why they can't use smartcards, hardware tokens or even bring apps to desktop computers or phones without Google services.
The funny part is - ALL banks did this at once. Why? Because the security consultants had "must have app" and "must check Google Safety net" on their check lists.
What country are you taking about? In regards to the EU 2FA thingy I start to belief to see a pattern. In countries who had established online banking standards with 2FA, nothing changed. But countries without, went ballistic. SMS or App only 2FA on every login and on every transaction. Yah, I can see that this is annoying.
While for me with my German banks I still access them using the FinTS protocol with a banking software of my choosing. For transaction above 20€* I need a TAN from my chipTAN/Sm@rt-TAN device (Which shows you the transaction details). Optional I could choose an app. SMS was phased out years ago (By my banks. Others perhaps still have it.)
(*only 3 transaction a day I believe. You can deactivate that so that you get asked for a TAN every time.)
It's a minor inconvenience for someone who is organised or is used to store secretes securely but a complete nightmare (including a security nightmare) for your average Joe.
Thanks EU, thanks governments for your precious regulations that keep us safe.
I wonder how many similar stories there are in fields I'm not an expert of.
I talked with fintech founders and they mostly say "sure, we could give better user experience and then have a fight on our hands with auditors because we didn't fill out all the checkboxes from the reputable security consultancy that 'interprets' the requirements"
Indeed, this is an argument you can reasonably make.
> TOTP is no more a password than whatever one-time code you'd get by SMS.
But this isn't; this is just a blatant lie.
A second factor is something you have, i.e. your phone, a hardware token, or access to a shared secret you don't store in your head.
Password managers kind of mangle the idea and turn the password from something you know to something you have.
The idea of "something you have" is that the thing can't be duplicated. As soon as it can, it's no longer "something you have". Any number of people might have it. A person who has it might not be you.
SMS hijacking, for example, converts your phone-based authentication to a password, where the password is your phone number. (Since an attacker who knows that number can pass the test.)
TOTP starts its life as a password.
Similarly, they can grab the shared secret from the server.
It’s marginally better than a password manager (though some of those support TOTP now), since they can’t pull all your credentials by keylogging your master password.
The hash seed that generates a password is connected to the device.
All I need for password authentication is the password and a device that can generate a one time proof that I know the password.
TOTP just seems more secure because the password is never displayed to the end-user.
A password/passphrase/passcode is something you know.
A hash for a TOTP is something you have. 2 factor means something you know and something you have (or something you are): https://dis-blog.thalesgroup.com/security/2011/09/05/three-f...
(And yes in theory you could remember the hash, and have a custom TOTP client that lets you enter it in. But unless you do this it is a theoretical argument only).
In fact, in Google Authenticator you can even conveniently export all running TOTP to another Google Authenticator without any connection with the apps or anything else whatsoever.
Would you not install two deadbolts on your door if you needed the extra security?
