We got a request in IRC from the author of this article. For reasons orthogonal to the topic of the article, I am posting it from my account and inviting them to an account for commentary instead.
We got a request in IRC from the author of this article. For reasons orthogonal to the topic of the article, I am posting it from my account and inviting them to an account for commentary instead.
I’ve wondered about the effectiveness of using a hash value derived from a physical file you possess, as an additional second factor. It is used in the application TrueCrypt, but I haven’t seen it anywhere else. Is there some reason for its lack of popular use?
My biggest question on this is whether or not the TOTP key database is hashed with the user passwords. Does anyone know? Elliot’s assertion is that these cannot be hashed but if you’re already running the user password hash why not run the same hash to expose the TOTP key? Of course that means the unhashed TOTP will remain in the clear while waiting for the user to input the 2FA value (or else user would need to reenter password if you miss the 2FA window). Anyone have experience with this?
2FA only really matters if your password is already owned. So if you’re deriving the TOTP secret from the password, it’s not much better than storing it in the clear, right?
Silly me, of course that’s the case. Thanks!