I’m sorry - I think we miscommunicated here. I was not advocating for TOTP or HOTP for SMS - in fact I’m completely against SMS being used for multi factor auth at all.
-j Sent from my iPhone > On Apr 18, 2021, at 12:48, William Herrin <b...@herrin.us> wrote: > > > On Sun, Apr 18, 2021 at 12:03 PM John Adams <j...@retina.net> wrote: > > On top of this most TOTP and HOTP systems have additional security checks > > like blocking reuse of codes, rate-limiting of guesses, and in some cases > > acceptance of earlier codes (in TOTP) if the clock skews too far that make > > them much stronger options which decreases security but is certainly more > > of a convenience factor. > > Hi John, > > On a site, the symmetric key used to generate the TOTP code is stored in the > same database as the user's password. Unencrypted or with readily reversible > encryption since unlike a password it can't be verified by comparing > ciphertext. Your protection is that every site uses a different TOTP key, > just like you're supposed to use a different password, so compromise of a > single site doesn't broadly compromise you elsewhere. It can also be captured > with malware on your phone, the same place an adversary will sniff your > password, which -will- broadly compromise you if you're also entering the > passwords on your phone. > > None of these authentication schemes are magic. They all have attack vectors > with varying degrees of difficulty, none of which are particularly harder > than breaking a well chosen password. 2FA doesn't solve this. All it does is > require an adversary to break -two- completely different authentication > schemes in close enough proximity that you won't have closed the first breach > before they gain the second. That's it. That's all it does. > > While attacks on SMS are certainly practical, stop and think for a moment on > how you would scale them up and break 10000 accounts per day. Got a plan > where you're not caught in the first two days? No, you don't. > > SMS is not a strong authentication factor. When used well, it's not intended > to be. It's meant to require an adversary to do enough extra work after > having already captured your password that unless they're specifically > targeting you, the odds favor discovering and correcting the original breach > before much harm can be done. For that use and that use only, it performs > about as well as TOTP. > > If you can reset your email password with an SMS message and reset your bank > password with an email then SMS has been misused as a very weak single factor > authentication process. Not because SMS offers weak authentication (that's > all it's meant to offer) but because it was used incorrectly in a process > that needed strong authentication. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/
