![]() ![]() So the safety of your TOTP keys relies on the authentication server not getting hacked. This means that there’s not a super-safe way to store them on the server side, unlike regular passwords which can be stored salted and hashed. On the other hand, the secret needs to be used in an unhashed form, both on your phone and on the server that authenticates it. On the one hand, they provide a non-repeating login that will help defeat eavesdroppers. Trusting TOTPĪuthenticator apps are a strange bargain. If Authenticator let you encrypt the keys before backing them up, you wouldn’t have to trust Google at all. But if you’re storing all your TOTP keys in one basket in one convenient app, then Google (or anyone who hacks Google) has access to your bank account too. Of course, if you’re using Google Authenticator only to log into Google, they have the secret key already. What could go wrong with Authenticator sending the keys in plain text? For one, you might not want to trust Google with your TOTP secret keys. In the middle, Google or anyone else listening in would have to break your encryption to steal the TOTP secret, and you have the convenience of the cloud. On the receiving phone two, you enter that same password again to decrypt the TOTP secret. That is to say, on phone one, you should have to type in yet another password to encrypt it before it’s sent out to Google. How should cloud backup be done right? It should be end-to-end encrypted. What do you normally do when you send or store secrets? You encrypt them, right? Guess what Google didn’t do when sending the secret key between your phone and their server! The secret key is a secret, and in the case of a 2FA token, it’s probably a secret that you really care about. But what if you want to back the secret up to the cloud? That’s where Google Authenticator got into trouble. That way, only someone looking over your shoulder at that exact moment can steal the key. The most common is to generate a QR code with your secret key so that you can just take a picture of phone one with phone two. Most authenticator apps have a method of backing up the secret key to another device. What happens when you lose your cell phone? Backing Up So the TOTP secret key is a good password, and it’s only stored in two places: your phone and the server to which you’re authenticating. The underlying secret key in the TOTP is longer and more random than any password a human would choose, and if you’re like most people you haven’t ever even seen it – it’s in that QR code you scanned. (Of course, if they can wipe out your bank account in that one login…) And even if you get phished into typing your six-digit TOTP into a bad web site, it’s a one-time password, so the damage is limited to that one login. Using a one-way hash of the secret and the time ensures that even if an attacker is listening in, they can’t generate the next key, or figure out your secret key from the intercepts. ![]() This is a great system because a new six-digit “password” is regenerated every 30 seconds or so, which makes it impossible to guess before it expires. The server to which you’re authenticating also has the secret key and a clock, does the same computation, and if they match, it knows that you are you! Basically, it’s taking the secret key, hashing it with a timestamp, and pulling six digits out of the result. What goes on under the hood with TOTP is nothing secret, and in fact you can do it yourself in just a few lines of Python if you’d like to. Perhaps you scanned that secret key into your phone in the form of a QR code? If any of the above sounds familiar, you’ve used a time-based one-time password (TOTP). What all of these authenticator apps have in common is the generation of a time-dependent six digit number, given a secret key. You probably know or use Google Authenticator, Microsoft Authenticator, or an app like Authy. Since 2FA has become a part of all of our lives – or at least it should – let’s take a quick dip into how it works, the many challenges of implementing 2FA correctly, what happened with Google Authenticator, and what options you’ve got to keep yourself safe online. The security community screamed out loud, and while it’s not over yet, it looks like Google is on the way to fixing the issue. Case in point: in the last few weeks, none less than Google messed up with their Google Authenticator app. ![]() The devil, as always with security, is in the details. Everyone in security will tell you need two-factor authentication (2FA), and we agree. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |