Should you enable TOTP *only* authentication?


A QR code.

Here's a "fun" thought experiment. Imagine a website which let you sign in using only your username and TOTP code. No passwords. No magic links emailed to you. No FIDO tokens. No codes via SMS. Just a TOTP generated and displayed on your device. Is that useful? Sensible? Practical? It's certainly technically possible. Store the username, store the TOTP seed, done. Your users can now log in. Is it useful? Well, it would force users to not reuse passwords they've used elsewhere. That prevents …

Continue reading →

Is it OK to share 2FA secrets?


A QR code.

Yeah. Yeah, I reckon so. Under the right circumstances. Multi-Factor Authentication (MFA, 2FA, TOTP, whatever you want to call it) is pretty nifty. You scan a QR code and your phone will continually generate a set of one-time passwords which are synchronised with a remote server. There's nothing stopping multiple people from scanning that QR code! They will each have the same password displayed at the same time. I've found this to be useful in a few situations. If my wife and I have access…

Continue reading →

Password Resets in an Age of MFA


A padlock engraved into a circuit board.

Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity. WordPress mandated that I change my password. But was that really necessary? Firstly, the password was uniquely generated by my password manager. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account. Secondly, and…

Continue reading →

Giving the finger to MFA - a review of the Z1 Encrypter Ring from Cybernetic


A plain black ring. What secrets does it contain within?

I have mixed feelings about Multi-Factor Authentication. I get why it is necessary to rely on something which isn't a password but - let's be honest here - it is a pain juggling between SMS, TOTP apps, proprietary apps, and magic links. I'm also not a fan of PassKeys. It feels weird to me that my computer is the password. I get the theoretical way it works - but it rubs me up the wrong way. So, Yubikeys? I find them an annoyance. I never have my keys to hand - which sort of defeats the…

Continue reading →

Firefox might remember old 2FA logins


The third number has a dropdown featuring3 single numbers.

I'm big enough to admit when I make a mistake. A few days ago I had a bit of a rant on Mastodon about how PayPal was encouraging browsers to remember 2FA codes. I'd tried to log in to PayPal, went to enter my 2FA code and was presented with this: But, this isn't PayPal's fault! Let's take a look at the code behind each input: <input name="otpCode-0" id="ci-otpCode-0" aria-invalid="false" placeholder=" " aria-label="1-6" role="textbox" …

Continue reading →

An eInk, Wrist-Mounted, TOTP Generator


A chunky wristwatch showing the time and a selection of 6 digit codes and their corresponding entities.

Behold! Thanks to the power of the Watchy development platform, I now have all my 2FA codes available at the flick of my wrist! HOWTO This uses Luca Dentella's TOTP-Arduino library. You will need a pre-shared secret which is then converted into a Hex array. Use the OTP Tool for Arduino TOTP Library to get the Hex array, Base32 Encoded Key, and a QR Code to scan into your normal TOTP generator. Add the Hex array into the code below. To check that it is functioning correctly, either scan…

Continue reading →

What's the optimal length for a 2FA code?


Screenshot of a text message. It says "Your one time passcode is 1031."

The other day, a company sent me a 2FA code which was only four digits long. I'll admit, this weirded me out. Surely 4 is just far too short. Right? I think almost every 2FA code I've seen has been 6 digits long. Even back in the days of carrying one of those physical RSA fobs, 6 has been the magic number. But why? A 2FA code is meant to prevent a specific class of problem. If an attacker has got hold of something you are (your username) and something you know (your password), you are…

Continue reading →

I've locked myself out of my digital life


Photo of a house engulfed in flames. Photo taken by Wikimedia user LukeBam06.

Imagine… Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes. In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle. This presents something of a problem. In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can r…

Continue reading →

Why is there no formal specification for otpauth URls?


A QR code.

Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but no spec. It links to an archived Google Wiki which, as we'll come on to, isn't sufficient. There's some documentation from Yubico which is mostly a copy of the Google wiki with some incompatible tweaks. The Internet Initiative Japan has a subtly different spec which includes an icon parameter…

Continue reading →

What's the risk from fake Yubikeys?


Meme in the style of "You Wouldn't Download A Car" saying "You wouldn't take a free USB stick.

I found this on a security-related Slack (shared with permission). It launched an entertaining discussion about the risks of taking a potentially fake FIDO token. We all know the risks of taking a free USB drive and shoving it in our computer, right? USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics! So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token? And - at the risk of …

Continue reading →

Should browsers remember 2FA codes?


In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field values, as well as guidance to the browser as to the type of information expected in the field. …

Continue reading →

That's not how 2FA works


List of tweeters advocating for 2FA.

Another day, another high-profile website cloned to phish credentials. Tess Rinearson@_tessrIs this a phishing attempt? Goes to "githubverification.com" and asks for username and pw (if so, it nearly got me!) /cc @github pic.x.com/jgt4onvjf2❤️ 2,322💬 115♻️ 016:12 - Sat 16 January 2021 In the replies, you’ll see lots of techbros saying “this is why you should switch on 2FA people!!!” Except, and I hate to bring accuracy to a technical discussion, that’s not how 2FA works! A second factor al…

Continue reading →