Terence Eden. He has a beard and is smiling.
Theme Switcher:

Should you enable TOTP *only* authentication?

· 10 comments · 300 words · Viewed ~255 times

Here's a "fun" thought experiment. Imagine a website which let you sign in using only your username and TOTP code.

No passwords. No magic links emailed to you. No FIDO tokens. No codes via SMS. Just a TOTP generated and displayed on your device.

Is that useful? Sensible? Practical?

It's certainly technically possible. Store the username, store the TOTP seed, done. Your users can now log in.

Is it useful? Well, it would force users to not reuse passwords they've used elsewhere. That prevents one class of security issue. If another service gets hacked, attackers can't use those credentials with your service. If you get hacked, there are no passwords stored.

As for practical? I already have 60 TOTP codes! (That's up from 30 a few years ago). Scrolling through those codes is no harder than scrolling through my password manager.

So, sensible? This all depends on your risk tolerance.

  • A 6 digit TOTP code has a million combinations. If your service has no rate limiting, that's trivial for an attacker to brute-force.
  • An attacker might get lucky and score a literal one-in-a-million hit.
  • Shoulder surfing attacks are easier if the password is only 6 digits (although harder with a short time-window).

Should you build an authentication mechanism like this?

Ehhhh… I'm going to go with "mostly no, except in limited circumstances". It might make life slightly easier for some users. But I feel inherently icky about having such a short password, even if it does regularly rotate. If this is a low-value service without sensitive information, it might be useful. But for everything else, I think it is a silly ideas.

Further discussion on Mastodon.

Share this post on…

10 thoughts on “Should you enable TOTP *only* authentication?”

  1. @Edent I've considered it for an APRS to Fediverse service.

    In the world of amateur radio we're not allowed to "obscure the meaning" of a message which rules out encryption, but we'd also want to assure a message was coming from the real user, but we don't want to send a password.
    TOTP is also easy to generate and enter into any handheld radio up a hill, unlike a PGP signature etc.

    Given the restrictions of a short message, no encryption, minimal hardware requirements, TOTP could work well.

    Reply | Reply to original comment on mastodon.radio

  6. @Edent in addition... there is currently no very good solution out there for the majority of people for transferring your active OTP codes between devices, or between OTP apps, or between the phone you dropped in the bath and the new one you've bought on ebay. I am v reluctant to even have non-technical users such as my parents switch from SMS auth (which they get) to an OTP app (which may not be backed up usefully), let alone to only use OTP so if you lose the code your account is unrecoverable

    Reply | Reply to original comment on mastodon.social

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title="">
<abbr title="">
<acronym title="">
<b>
<blockquote cite="">
<br>
<cite>
<code>
<del datetime="">
<em>
<i>
<img src="" alt="" title="" srcset="">
<p>
<pre>
<q cite="">
<s>
<strike>
<strong>

To respond on your own website, write a post which contains a link to this post - then enter the URl of your page here. Learn more about WebMentions.