About TOTP - a comment on a thread on mastodon

This is a comment on the answers given to this thread on mastodon which started with the question

Xoktz @Xoktz@mastodon.host

@switchingsocial Hello!, do you know some 2FA that respects your privacy?

#2FA #Privacy
11. Aug. 2019, 00:20 · 1 · 0

The question and its answers

I'd like to add some comments here: First of all, if you're referreing to #TOTP app, most Open Source apps will do. As they store everything locally, privacy is not really a matter. I do believe that even the Google product (Authenticator) isn't bad this time. They do differ, however, on securty/safety and usability, which was not the scope of the question ;-). I'd recommend to think twice before starting to use some password manager with sync capabilities like nextcloud or 1password and while presenting the TOTP secred by the app itself might seem a nice feature for backup, it breaks the idea of 2FA completely (see below).

The name of the game

Asking for a "2FA" with special features while you need a TOTP app is like asking for vehicles while you already know, you need a lorry - you might be offered a Motorbike.

What I am trying to say here is that 2FA is a concept, while TOTP is a standard.

And to be exact: The standard is not implementing the concept while often taken for it.

The reasoning behind this statement is that "2FA" means "Two Factor Authentication", i.e. you need to know something and need to (physically) have something. You might to refer to this by "Information" and "Possession". Examples are: A Password and your fingerprint, a PIN and your bank card, a password and phone-SIM (where a mTAN will be sent to).

(Just a note on "fingerprint": The problem with biometric authentication is, that you cannot replace the secret once it has been compromised, i.e. if somebody knowns your password, you will just set a different one and the compromised knowledge of your old password is useless. Once somebody manages to make a copy of your fingerprint good enought to fool fingerprint readers, you have a problem ...)

TOTP implemented in software is just "information", this holds true for TAN and iTAN lists. While it is harder to get a copy of this information it's not really unique hardware and it might be copied without you knowing it.

BTW: TOTP stands for "Time based one time passwords" - in case you didn't know already.

So what is TOTP good for?

TOTP has been invented for and is good measure against keyboard loggers on foreign hardware (e.g. public computers like internet cafes) and people spying on you while you type in your secrets. The code you type in is unique, time-bound and does not allow to draw any conclusion on your TOTP secret which is kept hidden in e.g. your phone. Knowing the code you just typed might help attacking your account for a small time, but is useless afterwards.

To some extend it helps against men-in-the-middle attacks, but only for those collecting credentials, not those making use of the credentials in real time.

So why is everybody referring to TOTP as 2FA?

In the end, all kinds of authentication is based on information. The question is, how safe is the information stored and how difficult is it to get a copy, more specific to get a copy whith the rightfull owner not knowing it.

Bank cards and TOTP hardware token make a good job at this. While bank cards are doing encryption and electronic signing with the private key never leaving the card (once it has been deployed), these hardware tokens displaying a number are using TOTP or equivalent protocols.

So, if you're implementing TOTP in hardware, it is as close to 2FA as you can get.

To copy the information, the attacker need to break the token - which is quite useless after he got hold on it and might just make use of it out of the way.

So, if you have 2FA based on hardware, you are sure nobody will access the service (i.e. Mastodon) without your permission as long as you make sure he does get hold of your security hardware long enough to make use of it before returning it to you.

The situation with software based TOTP on devices like phones and computers is a bit different. You must keep in mind, that software TOTP is all about knowledge - although one part is stored on a device, it's still information which can be copied without you realizing it. You will never be sure, youre device wasn't hacked and the TOTP secret was not copied.

Especially when using #KeepassX as recommended in some answer, there is no "second factor" as the only factor is your Keepass database (assuming that the regular password is stored in it as well)

Thanks for reading - 7usr7local

P.S.: While referring to the attacker as "him" in this text for for the simplicety of reading, I am aware of the fact that there is an equal number of evil female attackers around.