Learn how does TOTP (2FA) work

TOTP is one of 2FA (Two-factor authentication) methods and a reliable way to keep your accounts safe. Discover how it works and why it is a secure option.

Picture for Learn how does TOTP (2FA) work
Picture by Matt Chad
Author's photo
Matt Chad
June 06, 2023

In the modern world, online security has become more vital than ever. With a large amount of our personal and sensitive data being stored online, it is crucial to take necessary steps to protect ourselves from cyber threats and hackers. In this article, we will discuss how TOTP (Time-based One-time Password) works, what are its advantages and flaws, and why it is a growing choice for online security.

If you are curious about how TOTP authentication can safeguard your online accounts, read on!

But, before we dive in, let's take a quick look back at history.

Why secret keys must remain secret?

During World War I, inventors from various countries discovered that a purely random key sequence without repetitive pattern is crucial to develop an unbreakable ciphering solution.

Marian Rejewski and his team at the Polish Cipher Bureau accomplished a remarkable feat by exploiting Enigma, the encryption machine used by the Germans to secure their military communications. The German military code was considered to be one of the most secure codes of that time, but Rejewski and his colleagues were able to reverse-engineer the machine's wiring and create replicas that could decrypt the messages.

The procedural weaknesses of the Germans were quickly identified by Rejewski. He discovered that the Germans had specified a single indicator setting (Grundstellung) for all messages on a network for a day, which made it easier for him to decipher the messages. Moreover, the operator was reusing the same message key in the enciphered 6-letter indicator.

These procedural mistakes proved to be a significant vulnerability in the German encryption system, as Rejewski was able to decipher the message keys without knowing how the machine was configured.

This highlights the importance of adhering to the golden rule of one-time keys and never disclosing the secret used to encrypt messages.

Do I need 2FA if I have a strong password?

While strong passwords take more time to guess for automated hacking tools, 2FA adds another layer of security protecting against brute-force and other vectors of attack:

  • Strengthened security: 2FA provides an additional layer of security to your online accounts, making it harder for attackers to gain access to your account even if they know your password.
  • Protection against password leaks: If your password gets leaked in a data breach, attackers may still not be able to access your account if you have 2FA enabled.
  • User convenience: While strong passwords can be difficult to remember or manage, 2FA methods such as SMS codes, authenticator apps, or physical security keys are generally user-friendly and easy to use.
  • Flexible implementation: 2FA can be applied to different types of applications and services, giving you the ability to add an extra layer of security to a variety of accounts.
  • Improved compliance: Many organisations generally recommended to use 2FA whenever possible for the extra layer of security it provides.

Combining 2FA with strong passwords, you can significantly enhance the security of your online accounts, while also ensuring compliance and providing a sense of security.

Is TOTP more secure than SMS?

Yes, TOTP generates the key within authenticator app on mobile device using symmetric encryption algorithm. Both server and the authenticator app are synchronized with Unix timestamp that is used to generate one time password (OTP). It is impossible to hijack the one time password if it never leaves the device.

Meanwhile, SMS messages are sent in plain text, with a weak encryption such as CDMA or GSM and are prone to eavesdropping. They do not offer any end-to-end encryption available in modern messaging apps like Signal or WhatsApp.

Is TOTP Authenticator safe?

TOTP Authenticator is a widely used two-factor authentication method that provides an additional layer of security to online accounts. It works by generating a unique one-time password that is valid for a short period of time, usually 30 seconds, and requires the user to enter this code along with their regular login credentials.

As long as the server implementation is correct and did not take any shortcuts the TOTP:

  • the secret is stored securely and encrypted as recommended in RFC 6238
  • make sure that OTP is used only once
  • mitigate potential MITM (Man-in-the-middle) attacks by rejecting OTP after the user has been authenticated

Can anyone hack 2FA?

The most insecure part of TOTP is the registration phase where the server transfers the secret to the user's device via QR code or plain link. This must be done in a safe environment where no third person could scan the QR code and authorize their device.

While TOTP Authenticator is generally considered safe, it is not foolproof. There have been instances of hackers using phishing attacks to trick users into giving up their TOTP codes, or using malware to intercept the codes as they are generated. Additionally, if the user loses their TOTP device, or it is stolen, it can be used to gain unauthorized access to their accounts.

However, modern mobile devices have come a long way in terms of security measures and user authentication. Even when the phone is stolen, the attacker has to get through biometric authorization such as Face ID for iOS or Face Unlock for Android.

Is it possible to brute force a 2FA?

It is technically possible to brute force a 2FA (Two-factor authentication) code, but it can be very difficult and time-consuming for an attacker to accomplish.

To brute force a 2FA code, an attacker would have to guess both the user's password and the 2FA code within the limited time window, which is a very difficult task. Additionally, some systems will lock out users or require additional verification after several failed attempts, which makes brute force attacks even more difficult.

How does 2FA work step by step?

The TOTP algorithm works by generating a unique six-digit code every 30 seconds based on a shared secret key and the current time. This key is known only to the user and the service provider, and it is used to encrypt and decrypt the code.

After user enters their password, in the next step, they are requested for OTP. The user then enters the code into the login page, which is verified by the service provider. If the code is correct, access is granted to the account. This process adds an extra layer of security to online accounts, making it much harder for hackers to gain access to sensitive information.

TOTP can work without internet thanks to the symmetric encryption algorithm. In other words, it is a mathematical formula that can generate the same results based on the secret key and the universal Unix timestamp.

For example, time-windows may follow this pattern:

  • 10:00:00
  • 10:00:30
  • 10:01:00
  • 10:01:30

Because of network latency it is not possible for the app to generate code exactly at the same time as server. There is a predefined time window that is usually set to 30 seconds and server often checks for a code from the previous cycle. It is necessary to make sure that OTP generated in the last second of the time window is still valid.

Example without checking both cycles:

  • 10:00:59.601 - device and server both generate the code 922 888 (10:00:30 <= timestamp < 10:01:00)
  • 10:00:59.999 - packet sent over network
  • 10:01:00.112 - code arrives at the server too late in the next cycle, 10:01:00 <= timestamp < 10:01:30
    • server has generated a new code 333 722
    • comparison fails 333 722 != 922 888 โŒ
  • authentication failed, OTP is rejected

Example without checking the current and previous cycle:

  • 10:00:59.601 - device and server both generate the code 922 888 (10:00:30 <= timestamp < 10:01:00)
  • 10:00:59.999 - packet sent over network
  • 10:01:00.112 - code arrives at the server:
    • the server has both new code 333 722 and the code from the previous cycle: 922 888
    • server compares codes:
      • 333 722 โŒ
      • 922 888 โœ…
  • authentication successful, OTP is accepted

Checking both cycles ensures that short network latency won't affect the user experience. This small compromise prevents any confusion with invalid code that may fall outside the server's time-window.

What happens if you lose your 2FA key?

If you lose your 2FA (Two-factor authentication) key, you may not be able to access your account(s) that are protected by 2FA until you regain access to your key or set up a new one.

The exact process for recovering a lost 2FA key depends on the specific service or application that you use. However, here are some general steps that you can take to recover your 2FA key:

  • Use a Backup Key: Many 2FA systems will provide users with a backup key that can be used in case you lose your primary key. If you have a backup key, you should be able to use it to log in to your account and then set up a new 2FA key.
  • Contact the Service Provider: If you don't have a backup key or can't use it for some reason, you may need to contact the service provider and go through their account recovery process. This will likely involve verifying your identity through other means, such as through email, phone call, or answering security questions.

It's always a good practice to make note of your backup keys or set up a recovery method before you lose your primary 2FA key to avoid being locked out of your accounts.

Bringing it All Together

In conclusion, the TOTP algorithm provides a secure and convenient way to add an extra layer of security to online accounts. With the use of a shared secret key and time-based generation of unique codes, TOTP can effectively protect against brute-force and other security vulnerabilities.

Additionally, the fact that it can work without internet access thanks to its symmetric encryption algorithm makes it even more convenient for users. Compared to SMS-based two-factor authentication, TOTP is considered more secure and less prone to MITM attacks.

It is important for both the server and the user to ensure that no third party can intercept the QR code or link during the transfer of the secret to the user's device. By taking necessary precautions during the registration phase, TOTP can remain a reliable and secure method for authentication.

Bonus: for organization concerned about the tradeoffs associated with TOTP, there is another solution - TiQR.

References:

Consulting avatar

Do you need assistance with your Magento 2 store?

Share this post

Find more posts by tags
Explore all tags