This is a recipe for an eventual security disaster.
A little blown out of proportion? I have never seen a service attempt to set up 1-digit TOTP authentication with their users. Pretty much every service on the planet stays on the well-trodden path of 6 digits, 30 seconds.
So what would a tighter TOTP spec accomplish? Ok, your auth apps might reject dumb TOTP configurations. But who is generating these dumb configurations now? Nobody.
The point I was making isn’t that a single digit code is bad for security, but that having a loosely defined spec which major implementations disagree on is bad for security.
For example, Yubico generate 7 digit TOTP codes. If you move your secrets from their TOTP app to Google, will you be locked out? If you move from Google arbitrary number of seconds to an app which only supports 30 seconds, will your codes occasionally be wrong? Can dodgy URl encoding of certain fields be used to trick or confuse users?
Because major implementations are diverging from the spec and the deficiencies in the original spec, it is possible that unforeseen security issues could arise.
As I say in my post, choosing a single digit TOTP code is stupid. But relying on a stagnant spec is probably worse.
That is a much clearer explanation, thanks. You bring up a good point: it would be annoying if switching TOTP apps also meant losing my ability to log in because of a funky setup for one of my websites. A well-defined standard might help there.
Though I could bet money that all my current TOTP codes would work in every major app, or the apps that break are probably not the high-quality ones you want to rely on anyway.
I’m also not worried about, for example, malicious QR codes tricking users. Maybe I’m missing something here, because that implies a website is… attacking its own users? Attacking the users of another site somehow?
Anyway, there are some valid security concerns here; I just don’t see how it could possibly amount to disaster. Perhaps the standard is stagnant because nobody sees any practical real-world scenario where things are likely to go sideways?
In any case, the poor UX of TOTP codes in general is probably the biggest security concern IMO.
Pretty much every service on the planet stays on the well-trodden path of 6 digits
As a small aside, Blizzard/BattleNet had 8 digit TOTP, which was in their exclusive “Battle.net Authenticator” app. I found tool on github that could act like the bnet authenticator app to set up, then export it so I could load it to my sandard TOTP app.
Blizzard have since discontinued it requiring everyone to migrate to using their battle.net app, or disable 2nd factor. Now I only have one factor. Please everyone just use the standard TOTP.
Blizzard have since discontinued it requiring everyone to migrate to using their battle.net app, or disable 2nd factor. Now I only have one factor. Please everyone just use the standard TOTP.
What is with game companies doing this crap? Steam Guard gives you the option to use either email or their proprietary mobile app.
ReinerSCT says “[ Fehler ] Code enthält ungülige Zeichen!” which the internet informs me is “code contains invalid characters” Not the error I expected but at least it didn’t add it.
A little blown out of proportion? I have never seen a service attempt to set up 1-digit TOTP authentication with their users. Pretty much every service on the planet stays on the well-trodden path of 6 digits, 30 seconds.
So what would a tighter TOTP spec accomplish? Ok, your auth apps might reject dumb TOTP configurations. But who is generating these dumb configurations now? Nobody.
The point I was making isn’t that a single digit code is bad for security, but that having a loosely defined spec which major implementations disagree on is bad for security.
For example, Yubico generate 7 digit TOTP codes. If you move your secrets from their TOTP app to Google, will you be locked out? If you move from Google arbitrary number of seconds to an app which only supports 30 seconds, will your codes occasionally be wrong? Can dodgy URl encoding of certain fields be used to trick or confuse users?
Because major implementations are diverging from the spec and the deficiencies in the original spec, it is possible that unforeseen security issues could arise.
As I say in my post, choosing a single digit TOTP code is stupid. But relying on a stagnant spec is probably worse.
That is a much clearer explanation, thanks. You bring up a good point: it would be annoying if switching TOTP apps also meant losing my ability to log in because of a funky setup for one of my websites. A well-defined standard might help there.
Though I could bet money that all my current TOTP codes would work in every major app, or the apps that break are probably not the high-quality ones you want to rely on anyway.
I’m also not worried about, for example, malicious QR codes tricking users. Maybe I’m missing something here, because that implies a website is… attacking its own users? Attacking the users of another site somehow?
Anyway, there are some valid security concerns here; I just don’t see how it could possibly amount to disaster. Perhaps the standard is stagnant because nobody sees any practical real-world scenario where things are likely to go sideways?
In any case, the poor UX of TOTP codes in general is probably the biggest security concern IMO.
No, that would be that they’re still phishable. (Unless that’s what you meant by “poor UX”?)
Yes, I do think poor UX leads to phishability, as well as other problems.
As a small aside, Blizzard/BattleNet had 8 digit TOTP, which was in their exclusive “Battle.net Authenticator” app. I found tool on github that could act like the bnet authenticator app to set up, then export it so I could load it to my sandard TOTP app.
Blizzard have since discontinued it requiring everyone to migrate to using their battle.net app, or disable 2nd factor. Now I only have one factor. Please everyone just use the standard TOTP.
What is with game companies doing this crap? Steam Guard gives you the option to use either email or their proprietary mobile app.
I love the “Interactive Relationship Graph”! Looks like there’s a blog on it here.
I was hoping for a zero-length secret — I wonder how poorly that would interoperate :-)
ReinerSCT says “[ Fehler ] Code enthält ungülige Zeichen!” which the internet informs me is “code contains invalid characters” Not the error I expected but at least it didn’t add it.