I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be
A standard TOTP code is normally 6 digits long. There are a million combinations, from
A million isn’t a particularly big number. A million seconds is about 12 days. A TOTP code changes every 30 seconds. Assuming the codes are evenly distributed (a big assumption!) we should see every combination in half-a-million minutes. Rather pleasingly, that’s about a year.
If, like me, you have far too many 2FA tokens, and you use them most days, then it shouldn’t be surprising if you occasionally see “weird” codes.
Million-to-one chances crop up nine times out of ten
This comes down to how humans perceive randomness. Famously, Apple had to make its shuffle algorithm less random – people were complaining that it would sometimes consecutively play songs by the same artist. Sure, it is random, but it doesn’t feel random.
What a human thinks of as perfect randomness is not the same as actual randomness.
In the novel Cryptonomicon – the perils of human-biases are made clear. A captured spy explains how their cover was blown:
“The one-time pads for Detachment 2702 are being created by Mrs. Tenney, a vicars wife. She uses a bingo machine, a cage filled with wooden balls with a letter stamped on each ball. She is supposed to close her eyes before reaching into the cage. But suppose she has become sloppy and no longer closes her eyes when she reaches into it.”
Does this have consequences?
Assuming a user takes any notice of their 2FA codes, do they feel more secure if they regularly receive codes which look significant?
How freaked out would you be if your 2FA Code displayed your date of birth? Your phone number? Your employee ID? Your credit card PIN?
But if we try removing all possible “special” numbers, we end up fatally weakening security.
So, the next time you get a 2FA code which feels a bit weird, don’t panic. Everything is fine.
Trust the algorithm.