Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Sign in to follow this  
Chase Thompson

Trusting users with totp

Recommended Posts

I think totp is a great solution and I am baffled that google and twitter require SMS failback for totp. They require you to enable SMS before totp and then they disable all 2FA if you remove your phone. I assume that the reasoning is, "We don't want to have to deal with every user that loses a phone". That's fair, but you wouldn't have that problem if you made it easier for users to backup the secret seed for the totp generation. 

Mandatory SMS failback is both an invasion of your privacy and makes you vulnerable to sim swapping. 

  • Like 1

Share this post


Link to post

Counterpoint - having deployed these solutions at scale, SMS and phone calls are the way to go. Apps are too complex for many users, and there’s a very high probably of users getting locked out.

Here is a classic example - half the users have just configured Google Authenticator. That will be the 50% of users who lose access when they lose their phones or upgrade in a few years, as the tokens are lost and I don’t offer a recovery process. Those who setup Authy will retain access as it has phone backup. 

  • Like 2

Share this post


Link to post

I used google auth, but also backed up the secret offline, which I think is a reasonable thing to expect from a community of infosec people.

My issue with Twitter and Google is the all or nothing approach to the SMS piece.

  • Like 1

Share this post


Link to post

The most popular feature on this website is forgot password, true story. 

I can say from experience, when people lose their phone they will likely get locked out. I’ve seen it happen first hand, even with IT people, as they just don’t understand how Google Authenticator works.

At scale you have to offer phone recovery, as it’s a business imperative - with Twitter they 71,000 users per staff member. They can’t afford to have people locked out, literally. 

  • Like 1

Share this post


Link to post

I usually use Google Authenticator option to generate the totp secret, but use Authy as my client. I am in control of the encryption key that's used to backup/sync so I can set them all back up on another device when needed.

  • Like 1

Share this post


Link to post

yeah that's a good way of doing it.  Personally I use Microsoft Authenticator, which lets you add Google Authenticator tokens - and backs up to iCloud on iOS.  It's obviously still flawed as you can recover iCloud via SMS, of course.

Share this post


Link to post
Sign in to follow this  

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy