Should Admins Require TOTP 2FA?ĭespite its potential weaknesses, TOTP 2FA is more secure than SMS, while also being just as lightweight and easy to access. Knowing this, admins seeking to implement TOTP 2FA for their organization should research various authenticator apps before settling on one. For example, in 2017, a programmer from Hackernoon was able to access the shared secret of LastPass’s MFA authentication mobile app simply by accessing the app’s activity log and going to “settings.” LastPass issued a patch shortly after the programmer made their bypass process public, but the fact remains that there can be exploitable oversights in an authentication app’s design. There’s also potential for design flaws in the app. Because of this, provided they have compromised a user’s credentials along with their “seed,” they can access the user’s IT resources. ![]() If a bad actor manages to recover the shared secret, they can generate new codes at will. For instance, TOTP codes rely on a shared secret, or “seed,” stored by both the app and the server it’s connected to. Potential TOTP 2FA RisksĪlthough TOTP is more secure than SMS 2FA, it has some shortcomings in its design. However, if SMS 2FA is the only option, NIST supports its use over the alternative, which is no 2FA at all. It should be noted that the National Institute of Standards and Technology (NIST) doesn’t recommend using SMS, as SMS 2FA is too easy to compromise. TOTP codes are generated by an app installed on the user’s device, so any bad actor looking to steal their code would need to either steal their phone or somehow break into the app first, which requires more technical skill. Or, a hacker may be able to target a specific user’s phone and steal it. The most basic way to intercept SMS codes is by either swapping out the victim’s SIM card or impersonating the victim and ordering a copy of their SIM card to be sent to a different address. TOTP codes are more difficult to intercept than SMS to begin with. If a bad actor were to obtain a TOTP code, for example, they would need to act in real time to use it before it expires. A good practice for organizations is to set the codes to refresh every 30 to 60 seconds, making the codes harder to use if stolen. Meanwhile, TOTP authenticator apps automatically generate codes that constantly refresh. ![]() If a bad actor were to obtain that code before a user submits it, they could easily access the account in question. However, SMS 2FA uses a static code that either expires after it’s been used, or if it hasn’t been used in some time period - say, 10 minutes after being sent. How TOTP 2FA Trumps SMS 2FAīoth SMS and TOTP add a second factor to the authentication process, keeping user accounts secure against automated brute force attacks –– a form of cyberattack where bots try to leverage stolen credentials to authenticate to an IT resource. Here, we’ll further discuss the reasons behind this transition and whether TOTP 2FA really is more secure than SMS 2FA. In its place, time-based, one-time passwords (TOTPs) generated by an app on a user’s device are preferred for their superior security and equal simplicity. ![]() However, SMS 2FA has steadily fallen out of favor in the IT world. It’s quick, easy to access, doesn’t burden systems or other resources, and keeps user accounts more secure than those without any form of 2FA in place. SMS is a common delivery method for two-factor authentication (2FA) –– or multi-factor authentication (MFA).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |