Is it OK to share 2FA secrets?
By @edent
· 2fa CyberSecurity MFA totp · 4 comments · 300 words
Yeah. Yeah, I reckon so. Under the right circumstances.
Multi-Factor Authentication (MFA, 2FA, TOTP, whatever you want to call it) is pretty nifty. You scan a QR code and your phone will continually generate a set of one-time passwords which are synchronised with a remote server.
There's nothing stopping multiple people from scanning that QR code! They will each have the same password displayed at the same time.
I've found this to be useful in a few situations.
If my wife and I have access to the same account, and it doesn't allow individual sign-ins, then we share a username, password, and MFA code. That only works in a high trust environment. If your marriage is not high trust, you may need a different solution.
For a Big Work Project™ we had several people on-call. In case of emergency, someone would ring a "group hunt" number. Any one of the team could pick up. In order to authenticate both the caller and the answerer, all participants had the same TOTP code stored on their phones. That was more sensible than having a dozen different passwords.
There are risks, of course.
- Giving multiple people access to a system increases the risk one of them will be hacked, phished, or attacked.
- Having a secret on multiple devices means multiple chances for it to be leaked.
- Revoking and reissuing keys is more difficult with multiple people.
- It feels icky.
There's nothing which technically stops you backing up or sharing your MFA secrets. But you need to be really sure you understand the risks.
@Edent authenticating callers with a pre shared 2fa code is genius!
@blog I dealt with this at $work by issuing inr password/email that was shared and one TOTP to each user that was supposed to access the account. Sadly, loads of places still don't handle multiple emails/TOTP/Passkeys well
For Three Rings, we've implemented (TOTP-based) MFA support into our Secrets Store (basically a charity's password safe). Naturally, for this to work, the organisation has to choose to share their MFA secret with us, weakening security to gain convenience (the convenience of being able to choose which of their volunteers can access the resulting TOTP keys, under what circumstances - e.g. requiring 2FA or a fixed physical location - and that it be logged).
In this case, it felt like the right balancing point. Where a charity has e.g. a social media account with access shared between multiple users but those users are forced to share the same set of credentials, we'd rather that the charity enabled 2FA on their account (even if the only practical way to do so was to use a secret sharing system like ours) than felt unable to enable it.
TOTP 2FA is really powerful as a security tool. So much so, that even weakening it by sharing the secret still leaves its authentication system significantly stronger than if it weren't enabled. So yes, I'm with you!
(This is, of course, contingent on the MFA being correctly-implemented on the third-party system, of course. Last year for example I found a vulnerability in the web systems of a major UK mobile network that allowed an attacker to trivially bypass the second factor. 🤦)
Chrisns says:
I've experienced before where the QR code resolves to a URL that only works once to return the secret to the app, I found this rather annoying since my use case was trying to sign up to a MFA and save to a yubikey and phone, and it consequently didn't work.
IIRC the QR code can either embed the TOTP code itself, or a url that returns it, that url can be a one time access thing, in which case you'll have to rely on another process to extract the TOTP and share in multiple readers
Forget the service in question
More comments on Mastodon.