Here's an idea.
-
-
@Edent the entropy level of a 6-digit TOTP code is way too low to be the **only** method of authentication.
Also TOTP secrets are symmetric, which increase their value in a leak (better encrypt them in the database).
-
@Franky47 I agree about the risk of storing the secrets - but could you please explain why its entropy has any bearing on it?
-
@Edent Let's assume the website doesn't have any rate-limiting protection (that would be the best defense mechanism against a time-based auth)
To test the 1M possible combinations in 1 minute, you'd need 16.6k req/s. It sounds like a lot, but you don't have to get it on the first try.
Dividing the problem space by N gives you 1/N chances of getting it right one time. Repeat that process 2*N times and you should get a good chance of getting in.
For N=1024, that's 1.5 days at 16req/s
-
@Franky47 that makes sense - thanks!
-
-
@khurtwilliams I am 100% sure my cybersecurity followers can disambiguate an acronym based on context.
-
@Edent Brute force resistance would be my concern. With only a 20 bit entropy there must be good rate limiting both on a per-account and per-IP basis.
-
@Edent i mean isn't that what microsoft are doing with their authenticator app? just with the slight deviation that they give you the code and you having to click instead of the other way around.
-
@fabnie that is rather different. They are pushing a code to you, rather than you generating it locally.
-
@Edent i get that but it is still the same in the sense that you are using only one factor instead of two, isn't it?
that is the issue i'm having with that concept you are describing, like that kinda defeats the 2 in 2fa or am i missing something here? -
@fabnie you're not missing anything. Hence the poll.
-
@Edent Careful where you step with ideas in this particular alley. Years ago I suggested that we could adapt PKI to serve to authenticate to websites. I was told that I was a moron pinhead and to just STFU about authentication. Then years later, passkeys are growing. So, have your amazing idea, but realize that it’ll take someone who isn’t you to have it and then it’ll be valuable. LOL.
-
@Edent I'm in cybersecurity myself, and I have to say, I'm not a fan of all the acronym slinging. When acronyms are used without proper context or explanation, they can unintentionally exclude people who may not have the same level of familiarity. Being thoughtful about the audience and offering definitions when needed can really help make communication more inclusive and easier for everyone to follow.
Did you perhaps assume your audience was exclusively infosec professionals?
-
@khurtwilliams
No. I assume my audience are adults who, when confronted with an unfamiliar word or acronym, will look it up themselves.I assume you had much the same thought process with this post.
https://indieweb.social/@khurtwilliams/112932291970739565