Why is TOTP 2FA safer than a password?

My understanding is the following : when one activates TOTP 2FA on a website, it gives you a pemanent key. This key is used by the 2FA app, in combination with time, to generate a temporary, one-time password. When you enter that TOTP into the login page, the website “knows” it’s valid.

But how does it know that ? Does not that require the website to hold a copy of the key as well ? And in this case, if the website was hacked, and the password database was exposed, wouldn’t the 2FA keys be exposed as well ?

Both server (the website) and client (your TOTP app) share the same secret key. Therefore, the server (since it knows the current time) can also calculate the TOTP and check if it is the same as provided by the client. TOTP means: Both sides have a shared secret key, and the server compares the calculated TOTP.

Contrary to this, U2F devices contain a private key that is not shared with websites. With U2F, websites get a per-domain public key. So there is no way that your U2F gets leaked if a website is hacked. U2F means: The server only knows a public key, and gets a signed challenge from the client. In this scenario, the server checks if the signature is valid. (See also https://infosec-handbook.eu/blog/yubico-security-key-nitrokey-u2f/#u2f-function)

While we never saw a leaked TOTP database, this is likely. The same is true for the client since the TOTP app stores secret keys for each entry.

Why is TOTP 2FA safer than a password?

It is not more secure as a password. The important part is it is used as a second factor. Combining TOTP (or U2F) and password is more secure than using passwords only. However, TOTP only isn’t “more secure”.

Apart from this, there is the new standard WebAuthn. Web Authentication supports a wide range of authentication mechanisms, which are based on asymmetric keys (like U2F). However, WebAuthn can also be used as a single factor, replacing passwords. If it is used for single-factor authentication, WebAuthn clients need to store additional secrets (“Residential Credentials”). Otherwise, clients can be used for two-factor authentication—similar to U2F—without storing additional secrets.

4 Likes

Great explanation. I somehow hoped that you would barge in on this subject.

However, I’m deeply disappointed by reality. I had hoped that you could refute my assumptions, and tell me the key was not on the server.

Incidentally, this shows how difficult it is to wrap one’s head around 2FA. I have read dozens of articles on the subject, including some quite advanced ones, and never came across those simple (and critical) facts.

That’s exactly what I wanted to know. (I read the linked, detailed explanation, but it’s a bit above my league.)

Clumsy expression on my behalf. What I really meant was : why is TOTP-based 2FA, on top of a password, safer than password only ?

You just answered that it was vulnerable to the hacking of the protected website, exactly like authentication by password only (which I reckon is one of the most prevalent threats out there).

So the obvious question remains : why is password + TOTP 2FA more secure than password only ? What is the additional threat it protects against ? Or is it only the equivalent of an extra password ? What’s all that rigmarole of “something you have” about, if it does not protect you against a hacker breaking into the server ?

(Personal configuration : I use Kee Pass + Kee OTP, which is supposed to be less secure than a phone app, especially since I store the keys in the same database as the passwords. But the question is valid for both methods.)

From what you say, it seems U2F is the only proper way to do 2FA, but it’s offered by very few sites. As for WebAuthn, it seems great (having the potential to do hardware-based, single-factor, secure login), but it’s still completely theoretical for the time being, isn’t it ?

You don’t need to hack server in order to access account if it’s secured only by password. Especially if it is some week/known pass. But, you are right, if server is compromised, TOTP as 2FA is no more secure than strong password (passphrase).

I have one database (KeePassXC) for important passwords and one for TOTP secrets. Less important stuff is in Bitwarden vault. Maybe it’s time to look for U2F

So say there’s a scenario, where someone gets your password whether it be looking over your shoulder while you type it in, reusing it from another website that has been breached, or you have it written down somewhere and someone finds it, or whatever scenario you can think of where someone gets your password to your account. Instead of them now having full control, they now have to enter your password and your ever changing totp code. This protects you from keyloggers, shoulder surfing, people finding your password, reused passwords, etc. as now they need access to whatever device your totp code is living on. This is part of the reason it’s considered important to have your password and totp in different databases, or better yet different devices.

TL;DR: with totp enabled, the entire world could know your password, and even then never be able to access your account unless they also got your totp secret, or saw your totp code and entered it in before it expired.

Edit: see this demonstration of totp 2fa used in Steam, called steam guard https://youtu.be/fnMGt8J-uKs

Precisely. My point is, you don’t need 2FA, at all, to protect against most of those risks.

  • Weak password > Make it strong.

  • Known password > Because presumably weak. See above.

  • Shoulder surfing > Can’t happen. Close to 100% of sites have dots (unfortunately). Unless you’re using QWERTY as a password, or you’re targeted by KGB spooks filming you, there’s no real risk. To be 100% sure, use a password manager.

  • Password reuse from a breached website > Highly unlikely with unique, long and random passwords. To be extra sure, run your passwords regularly through Have I Been Pwned plugins or extensions.

  • Someone picks up your post-it > Don’t stick your passwords around your screen. Use a password manager.

  • People finding my passwords > Finding them how ?

  • Keyloggers > OK, that’s a possible risk. Use Kee Pass as a password manager, which has good protection against keyloggers. Anyway, is TOTP 2FA completely immune to malware-ridden clients ?

We already agree that the hacking of the webserver is not protected by TOTP 2FA.

If one of the sites you have an account at is hacked server-side, you’re probably protected if you use unique, long and random passwords. Unless the site stores passwords in cleartext – but then it’s probably not a sensitive site. In which case, it probably won’t offer TOTP 2FA either. Anyway, only your unimportant account at this site will be hacked, since you use unique passwords, don’t you ?

So, in real life, apart from benefiting reckless slackers with bad password hygiene, what does TOTP 2FA protect you against ?

Very specifically, what extra protection does it provide if you already use a good password manager, and have unique, long and random passwords for each site ? Which is something everybody should do anyway, regardless of 2FA, and long before even dreaming of implementing 2FA ?

Indeed, one of the most advanced articles I read on the subject said that TOTP 2FA only really protects you if you reuse passwords across sites. But you don’t need 2FA for that.

Please challenge the following statement : apart from limited benefits, such as forcing a hacker to break two keys instead of one if he hacks a website, TOTP 2FA is mainly security theater if you already use a password manager with unique, long and random passwords. Which you should be doing anyway.

And it can also be a pain in the ass, inasmuch as it forces you (in most cases) to have a smartphone handy, charged, switched on, and to type six blasted numbers manually everytime you want to login to protected sites.

Not to mention it forces you to follow extra backup routines for your 2FA keys, if you don’t want to run the risk of being locked out of your accounts.

Please understand I’m not on a crusade here. I really wish to be challenged on that statement. I’d love to be proven wrong. I’m only trying to learn.

It almost definitely is not the most prevalent threat out there. Weak passwords and password reuse is far more common, and 2FA is often easier for general users to understand and use compared to a password manager.

This is also correct, yes. Now that it has been standardized (Webauthn) and supported in more browsers (it was Chrome only for quite a while) we should see more adoption.

There is another advantage to TOTP which I brought up in another thread:

This is because the TOTP code generated every 30 seconds is functionally the same as a hash, in the sense that it can never be turned back in to the secret. So that’s one less vector of attack compared to passwords, but that’s a relatively rare circumstance in the HTTPS world.

1 Like

I will agree with you, that if you have perfect password practices, then sure it only provides limited benefits, but those are still benefits aren’t they? Basically it comes down to the advantages of 2FA. If you can ensure your password will never be found out, meaning you 100% trust your password manager, the device your using, the internet connection your using, the website your accessing, then sure there could potentially be no benefits and only hassles. But in the scenario you can’t trust that your password won’t be found out somehow/someway then isn’t it better to use 2FA? I don’t know how your password might be found out, because I’m not a hacker/malicious entity trying to gain access your accounts, but I’m sure someone out there can think up a way.

If your mindset is “I’m not special enough for people to target me specifically” and you’re right, then odds are in 99.9% of scenarios a decent password and password habits will be more than sufficient. But if you are someone KGB spooks, or someone else is after, then 2FA is just another step to secure yourself.

Also some scenarios where 2FA might help:

  • Logging into an insecure device, whether it be temporarily or not, might track your password
  • Connecting to a website that sends your password to the website via a cleartext response (which is very common) means that whatever connection your using might see it if you happen to not use https by some chance, and whatever browser your using you have to trust to not be compromised
  • Someone stealing your device while it’s unlocked means they might have access to your unlocked password manager
  • If you have someone you want to let borrow/ use an account say friends, children, S/O, then you can give them the password and TOTP so they can login, and you know even if they are dumb and write down the password you’re still secure

Basically the big advantage besides 2FA is that TOTPs are unique, and change every 30 seconds, so it’s like having a password that changes every 30 seconds, and which the algorithm for generating them means they’re always totally unique, so it’s not like changing your password from password to password1 to password2 that’s guessable.

1 Like

That’s certainly true in a statistical way, from the point of view of the god of the Internet. Or even from the point of view of an IT manager, in charge of protecting users against themselves in a company.

It’s not in my hypothesis, where I presume good password hygiene (my case). It’s arguably not within the subset of users with reasonable tech skills, customarily reading security or privacy sites. Who can be persuaded to properly use a password manager, or already do.

Besides, aren’t weak passwords, and password reuse, a risk precisely because websites get hacked all the time ? The number of people who got their accounts hacked because a co-tenant, or a petty thief, guessed the relevant password on their laptop must be quite low in percentage.

I had missed your important comment in this other 2FA thread. I’m glad you vindicate my probably marginal choice of TOTP through password manager:

So it depends on your threat model. In theory storing your TOTP passwords in your password manager decreases your security a bit, because now an attacker only needs to compromise your password manager. But if you make that difficult enough it isn’t really an issue.

Two-factor isn’t as important for security as it’s cracked up to be, I’d go as far as to say it’s the least important benefit that TOTP gives users. The benefits of TOTP are significant even if you don’t store them in a separate location.

Going through your points there:

Jonahteam

There are a number of security benefits to using TOTP ( regardless of where you store the secrets, in a password manager or otherwise) compared to not using it at all.

  1. TOTP secrets are unguessable . Unlike passwords, whose strength is determined by the user, TOTP secrets are determined by the server and if implemented correctly are long random strings that cannot be obtained through guesswork (brute forcing, etc).

Not an advantage if your passwords are already good.

TOTP secrets are never transmitted during authentication. Even if there is a sophisticated MITM on your network that is able to intercept HTTPS traffic, TOTP secrets are never transmitted across the network after you originally receive them.

Yes, but they are already on the server. We read a lot about MITM, because it’s a sophisticated attack and security researchers love them, but how many actual hacks of accounts happen through MITM of passwords ? Not counting phishing, in which case all bets are off ? On the other hand…

It can be hacked during transmission, though. There was such a hack recently which made the news. Some Middle-East journalists’ TOTP 2FA was defeated through sophisticated phishing. Admittedly, this was likely done by an intelligence agency.

TOTP secrets are unique . You’ll get a new one for each site you visit no matter what, whereas with typical password use most users end up reusing the same passwords. If you’re using a password manager correctly this is less of a big deal, however.

You’ve just said it : password managers are enough to eliminate password reuse.

So all this points to an astonishing point of view which I read before, and I had trouble believing : could it be the case that TOTP 2FA is only really needed because the bloody users can’t be persuaded to set their passwords right ?

And then you write this, which tends to confirm the above:

This is an extraordinary statement. It has certainly not been easier for me, and I have spent a significant part of my professional life advising people on how to use their computers.

It might be easier in terms of just installing blindingly the app, and typing 6 figures when you are prompted to. It’s certainly not when it comes to making sure that your secrets are properly backed up, as we can see by the endless stream of users asking for help after losing their phones.

It’s certainly not when it comes with understanding how it works (hence my questions), and I’d argue that understanding how it works is a major factor in security.

How many actual hacks of accounts happen because of an http connection ?

That being said, now that I’m onboard of TOTP 2FA, I’ll continue to activate it wherever possible. I even find it somewhat fun.

But it sure looks like a half-baked, stopgap solution, before something better becomes the norm.

Thank you for a great discussion.

You can get the 6 digit code during transmission, and if you’re a reasonably skilled attacker you could use it to quickly log in within the 30 second window before it expires. However, you cannot get the TOTP secret during transmission, which was my main point.

But yes. In your situation it still probably adds little value. If you’re interested in security the best option is WebAuthn. I should see if I can get that working on the forum… edit: lol I guess we do have it on the forum :+1: I even have it set up but I never have to log in so I forgot.

Yes, that’s what I understood. Sorry if I was not clear. I think that’s the way the TOTP-using Middle-East journalists were phished.

Whaaat ? I thought WebAuthn was only a paper spec right now ? Would it work on the forum if I bought a Yubikey, or similar ?

WebAuthn was finalized in March 2019: https://www.w3.org/TR/webauthn/. It is currently a “W3C Recommendation”, which is similar to a “standard”, however, W3C can’t publish “web standards” but only “recommendations”.

Since then, some web services like GitHub migrated from U2F to WebAuthn. WebAuthn includes U2F, so every service supporting WebAuthn also supports legacy U2F. Therefore, you can use your new hardware token with support for WebAuthn for U2F-only websites. Vice versa, you can use your old U2F-only token to log into websites supporting WebAuthn. However, WebAuthn does not only support authentication like U2F but it comes with different authentication schemes like one-factor authentication (mentioned above, “Residential Credentials”).

2 Likes

Yep. And actually I think this forum only supports U2F and not WebAuthn @Zlivovitch, but that does mean that you can currently use a Yubikey just fine, and you would be able to use that Yubikey on both U2F-only sites like this forum, and sites present and future that support WebAuthn.

1 Like

I just activated TOTP 2FA on this forum through Kee Pass. Works like a charm.

The user interface and workflow are rather better than what I’ve seen in other places, too.

The hardware key option is very clearly marked, and I will take advantage of it if I take this step…

1 Like

Thank you for your answers. Doing a quick search on WebAuthn, starting from your link, I found this great tutorial published 3 days ago :


It’s looong, but it really hits the right spot for practical and up-to-date information on the subject. You don’t need to be a developer or a sysadmin to read it. I’m certainly keeping it as a reference.

Lots of entertaining and informative info on various encryptions here, example.