top | item 46676765

(no title)

fxj | 1 month ago

TOTP is also just password + some computation. So where is the difference? There is a lot of security theatre around TOTP with the QR code and then need of an app but you can write a 8 liner in python that does the same when you extract the password out of the QR code.

   import base64
   import hmac
   import struct
   import time

   def totp(key, time_step=30, digits=6, digest='sha1'):
        key = base64.b32decode(key.upper() + '=' \* ((8 - len(key)) % 8))
        counter = struct.pack('>Q', int(time.time() / time_step))
        mac = hmac.new(key, counter, digest).digest()
        offset = mac[-1] & 0x0f
        binary = struct.unpack('>L', mac[offset:offset+4])[0] & 0x7fffffff
        return str(binary)[-digits:].zfill(digits)

https://dev.to/yusadolat/understanding-totp-what-really-happ...

discuss

elderlybanana|1 month ago

Yes, TOTP is a secret + computation, and generating it is trivial once you have the secret. The security difference is that the TOTP secret is separate from the user’s password and the output is short-lived. Each of the two factors address different threat models.

crote|1 month ago

You are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.

As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.

gruez|1 month ago

>You are supposed to store the password in a Secure Enclave,

That's at best a retcon, given given that the RFC was first published in 2008

>You are also supposed to immediately destroy the QR code after importing it.

Most TOTP apps support backups/restores, which defeats this.

alt227|1 month ago

IMO if it is possible to use a system wrongly which undermines its security, it is already broken.

Ferret7446|1 month ago

Exactly, which is why TOTP is "weak". "Real" 2FA like FIDO on a security key makes it much harder.

ACCount37|1 month ago

TOTP is the "good enough" 2FA.

If I managed to intercept a login, a password and a TOTP key from a login session, I can't use them to log in. Simply because TOTP expires too quickly.

That's the attack surface TOTP covers - it makes stealing credentials slightly less trivial by making one of the credentials ephemeral.

susam|1 month ago

Original source of the 8 liner Python code: https://github.com/susam/mintotp/blob/main/mintotp.py

az09mugen|1 month ago

Thanks for the link on TOTP and the associated code !