That way, only someone looking over your shoulder at that exact moment can steal the key. The most common is to generate a QR code with your secret key so that you can just take a picture of phone one with phone two. Most authenticator apps have a method of backing up the secret key to another device. What happens when you lose your cell phone? Backing Up So the TOTP secret key is a good password, and it’s only stored in two places: your phone and the server to which you’re authenticating. The underlying secret key in the TOTP is longer and more random than any password a human would choose, and if you’re like most people you haven’t ever even seen it – it’s in that QR code you scanned. (Of course, if they can wipe out your bank account in that one login…) And even if you get phished into typing your six-digit TOTP into a bad web site, it’s a one-time password, so the damage is limited to that one login. Using a one-way hash of the secret and the time ensures that even if an attacker is listening in, they can’t generate the next key, or figure out your secret key from the intercepts. This is a great system because a new six-digit “password” is regenerated every 30 seconds or so, which makes it impossible to guess before it expires. The server to which you’re authenticating also has the secret key and a clock, does the same computation, and if they match, it knows that you are you! Basically, it’s taking the secret key, hashing it with a timestamp, and pulling six digits out of the result. What goes on under the hood with TOTP is nothing secret, and in fact you can do it yourself in just a few lines of Python if you’d like to. Perhaps you scanned that secret key into your phone in the form of a QR code? If any of the above sounds familiar, you’ve used a time-based one-time password (TOTP). What all of these authenticator apps have in common is the generation of a time-dependent six digit number, given a secret key. You probably know or use Google Authenticator, Microsoft Authenticator, or an app like Authy. Since 2FA has become a part of all of our lives – or at least it should – let’s take a quick dip into how it works, the many challenges of implementing 2FA correctly, what happened with Google Authenticator, and what options you’ve got to keep yourself safe online. The security community screamed out loud, and while it’s not over yet, it looks like Google is on the way to fixing the issue. Case in point: in the last few weeks, none less than Google messed up with their Google Authenticator app. The devil, as always with security, is in the details. Everyone in security will tell you need two-factor authentication (2FA), and we agree.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |