Skip to main content

Three ways attackers get around TOTP authentication

(Image credit: Image source: Shutterstock/scyther5)

Time-based one-time passwords, or TOTPs, have become common as the second factor of two-factor authentication, which verifies users based on two conditions: something they know and something they have.

To validate their identity using TOTP, a user will log into an app or account by inputting their username and password (the thing they know), then will be prompted to enter a random code — the TOTP, which becomes the thing they have — that they also must input to gain access to their account.

Unlike a one-time password (OTP) delivered by SMS or email, a time-based one-time password is generated by an authenticator application via an algorithm that uses current time of day as one of its own factors; in most cases, the token expires after some number of minutes or even seconds. This additional layer of security means even if a user's known password is compromised, an attacker can’t gain access without the TOTP, which of course expires quickly.

TOTP is an approved standard of the Internet Engineering Task Force, the body that develops and promotes voluntary Internet standards. Yet like any single security solution, TOTP as part of two- or even multi-factor authentication is not fool-proof.

We mean that quite literally; the concept of TOTP is a sound one, but human error always manages to gum up the works. Here are three ways criminals take advantage of our imperfect behaviour:

Social engineering

Although the time-based element theoretically makes TOTP less susceptible to social engineering than other forms of multi-factor authentication, criminals still regularly trick users into handing over access.

When an attacker goes after a user’s TOTP token, timing is crucial. The malicious actor will attempt to log into a given user’s account with a valid credential -- likely a password recycled from a previous breach -- and then immediately try to trick that user into sharing a TOTP token. For example, the criminal might send the user a text or email saying something like, “Your account has been flagged for malicious activity. For the security of your account, reply back with a TOTP token to verify your identity.” As soon as the victim provides a token, the attacker can complete the login process and gain access to the account.

Rather than convincing the victim to provide a TOTP token at exactly the right time, an attacker might try convincing them to share a TOTP recovery code. TOTP recovery codes are different from OTP in that they are not temporary and are meant to be a backup plan in the event the user loses their phone. By convincing a victim to hand over this code using any premise, the attacker can gain illegitimate access to their accounts without worrying about the time-based component.

Poor security hygiene from TOTP app developers

When you use a TOTP authenticator application, you’re trusting that the app developer has stored secret keys securely and implemented TOTP correctly within the app itself. Weak security practices can put your accounts at risk.

Applications that generate TOTP rely on a secret key, or “seed,” that is shared between the user and the app. The app algorithm uses the TOTP seed and current time to produce one-time passwords. If an attacker gets access to the secret key — say, through a server-side breach of a database of stored secrets — they can use it to create their own valid authentication codes and access other accounts.

From the application perspective, there’s a lot that can go wrong if the app developer has implemented TOTP incorrectly. For example, the application might not expire tokens after use, meaning the “one-time passwords” it generates can be used again by an attacker. Bad implementation can also make it possible for bad actors to brute force the keyspace of TOTP.

From one account to the next

When criminals gain access to one user’s account, they’re often able to then get into many others owned by the same user. They may be able to get into the first account through no fault of the user if the original site has been breached, or because a third-party breach exposes the user’s poor password hygiene (reusing credentials) across multiple sites.

Unfortunately, many users store TOTP seed backups in their cloud storage, email accounts, or cloud-based phone backups. Once in the account, hackers are often able to hunt through files and email drafts to discover the secret key of the TOTP, which then allows entry into more high value targets such as bank accounts.

How to strengthen TOTP/2FA management

Using time-based one-time passwords as part of a two-factor authentication strategy isn’t a cure-all, but it should remain part of a strong, multi-layered security strategy. To reduce the likelihood of human error:

  • Educate users about the importance of adopting multi-factor authentication.
  • Review all forms of social engineering with users as part of a robust security awareness campaign.
  • Review all forms of social engineering with users as part of a robust security awareness campaign.
  • Use location-based controls; make sure login attempts and 2FA come from the same IP address.
  •  If a login is suspicious, use time as a deterrent (for example, use a 48-hour hold).

And because humans are inevitably fallible, it’s critical to also align user account security with NIST guidelines for better passwords. Don’t allow users to reset passwords to something obvious or overly simple, or to a recycled password that’s been breached before. Set strong rules on password change processes and automate checks for reused passwords, so that your security team is alerted if users’ passwords appeared in a third-party data breach. When passwords are found to be compromised, security teams can force a password reset or step-up authentication processes for that user – preventing exposures from progressing to account breaches.

Chris LaConte, Chief Strategy Officer, SpyCloud