(no title)
CyberRage | 2 years ago
TOTP and passwords are not the 'similar' because TOTP is a secret generated from the 'key' and is only valid for a short time period
this make usage of that secret vastly more challenging for attackers, especially at scale.
I've seen real attacks where passwords are stolen, it is impossible to keep track of that. However for TOTP since the attacker has to login NOW, you can very easily detect anomalies of a new IP addr with many successful logins for different accounts
Or to put it differently, when you capture a password it is always valid credential but for TOTP, it requires more advanced infrastructure(automatic logins, save tokens)
and even then the token will eventually expire, with password you can generate infinite tokens
radicality|2 years ago
kortex|2 years ago
It's not though. The whole point is the secret moves once, from server to client (ignoring user exports and whatnot). Pass(word|key)s are basic authentication, and so have to be transmitted with every request. That's a huge difference in surface area. Also they are guaranteed to be high entropy, unlike user-picked passwords with no filter.
CyberRage|2 years ago
1. TOTP is time based, after 30 seconds it means absolutely nothing, you cannot recreate the 'secret key' from that number
2. with TOTP everything is well-known. TOTP will usually generate a 6 digit 'secret', this makes managing it very predictable:
6 digits = 1,000,000 options(including all zeros) we can easily calculate a good security margin
like: 5 attempt - 5/1,000,000 = 0.000005% chance of success Very predictable security margin
for passwords it's a huge unknown, it entirely depends on the user password quality