Should you enable TOTP *only* authentication?
By @edent
· 2fa CyberSecurity MFA totp · 10 comments · 300 words
Here's a "fun" thought experiment. Imagine a website which let you sign in using only your username and TOTP code.
No passwords. No magic links emailed to you. No FIDO tokens. No codes via SMS. Just a TOTP generated and displayed on your device.
Is that useful? Sensible? Practical?
It's certainly technically possible. Store the username, store the TOTP seed, done. Your users can now log in.
Is it useful? Well, it would force users to not reuse passwords they've used elsewhere. That prevents one class of security issue. If another service gets hacked, attackers can't use those credentials with your service. If you get hacked, there are no passwords stored.
As for practical? I already have 60 TOTP codes! (That's up from 30 a few years ago). Scrolling through those codes is no harder than scrolling through my password manager.
So, sensible? This all depends on your risk tolerance.
- A 6 digit TOTP code has a million combinations. If your service has no rate limiting, that's trivial for an attacker to brute-force.
- An attacker might get lucky and score a literal one-in-a-million hit.
- Shoulder surfing attacks are easier if the password is only 6 digits (although harder with a short time-window).
Should you build an authentication mechanism like this?
Ehhhh… I'm going to go with "mostly no, except in limited circumstances". It might make life slightly easier for some users. But I feel inherently icky about having such a short password, even if it does regularly rotate. If this is a low-value service without sensitive information, it might be useful. But for everything else, I think it is a silly ideas.
@Edent I've considered it for an APRS to Fediverse service.
In the world of amateur radio we're not allowed to "obscure the meaning" of a message which rules out encryption, but we'd also want to assure a message was coming from the real user, but we don't want to send a password.
TOTP is also easy to generate and enter into any handheld radio up a hill, unlike a PGP signature etc.
Given the restrictions of a short message, no encryption, minimal hardware requirements, TOTP could work well.
@blog sounds like a step down from passkeys but a similar idea. Makes me wonder why we never just used ssh keys for auth on the web.
Anything you do to abstract away the perceived complexity of secure auth will make your users more likely to use it.
@blog I would love this. Roboform generates and inserts these codes for me on the fly. And no more annoying "time to change your password" messages. No more password reuse threat vector.
@Edent
It sounds way better than the ones that let random crooks spam your inbox with authentication emails in the hopes you'll click at least one of the links.
@blog you mention scrolling through a password manager, but Firefox's manager auto-fills, (and only on the correct website, mitigating against mitm attacks).
I'd want my totp authenticator to be at least as integrated, which would tie logging in to the machine the totp authenticator...
@Edent in addition... there is currently no very good solution out there for the majority of people for transferring your active OTP codes between devices, or between OTP apps, or between the phone you dropped in the bath and the new one you've bought on ebay. I am v reluctant to even have non-technical users such as my parents switch from SMS auth (which they get) to an OTP app (which may not be backed up usefully), let alone to only use OTP so if you lose the code your account is unrecoverable
@sil @Edent yeah, android authenticator now has backup (by default?) but it's been a bit of a security nightmare as its now a really valuable target. (also how do you do mfa for Google if you lost your device doing totp for Google...).
Backup codes I think are really poorly understood too!
Passkeys match this thought process pretty well. They can be used in place of passwords because they’re unique enough to not need a second factor
@Edent It’s interesting as a concept but my immediate “erm” moment is the digital exclusion for a service: implies a level of tech knowledge / skill which might act as a barrier to entry.
@Edent My bank has done this for years. It works fine. There are alternative methods available in case TOTP generator is lost etc
More comments on Mastodon.