Time based One Time Pad and You

Time based One Time Pad (TOTP) is the technical name for those changing numbers you might use to log in to sites and secure systems.  Google Authenticator is possibly the best well known and has plugins to use in lots of places such as WordPress sites and even SSH.  But recently some have started to use this as their only login, and this is actually highly insecure.  Lets walk through why this adds so much security when used for two factor auth and why its very poor security for single factor auth.

Single Factor Auth

To gain access to your front door at home you probably have a physical key to get in.  This is called single factor authentication, access is based solely on something you carry physically.  This "Something you have" method is one way to maintain security.  When we moved to digital access, authentication changed to just using a password.  This is also one factor but instead of being based on something you have, it was "somethin you know".  There are also systems that use a different authentication method, which is "Something you are".  These are things like retinal, handprint, fingerprint scanners, etc.  To increase security its better to have multiple of these things creating 2 factor or potentially 3 factor auth.  Even if someone has your password, they still need to pass the other factor, which can be pretty difficult if its something you have or are.  TOTP systems like Google Authenticator falls in to the "something you have" category.  Its a string of 6 digits that changes every 30 seconds.

So how does this make me more secure?

For an account online you are looking to prevent people from performing a "brute force" attack.  This is just trying every combination of values.  If your password were only 1 digit it would take you at most 10 tries to guess the password.  for every digit you add that amount goes up exponentially.  Lets say your password is 2 digits, now its 10^2 or 100 possible passwords (00 - 99).  Many of these TOTP systems use 6 digits which gives us one million possible combinations.  Sound Good?   Well its not really.  We have been only base 10,  when you use lower case letters you have 26 possible values, so 6 letters and you have 26^6.  If you use lower case, upper case, digits, and lets say 10 possible symbols you are up to 72 options.  Then most banks enforce a minimum length of 8 characters.  Now we are up to 72^8 (over 722 Trillion).  Now those are some secure passwords.

TOTP basically works like this, you login with your usual password, then you are challenged to put in your TOTP value at that time.  Once you have proved you know the password, you also have to prove you have the device generating those keys.  If someone guesses the password, they don't have the device and thus have to guess at the 6 digit code to gain access.  Sure they could then try repeatedly guessing that code, but if someone tries too much, you can easily lock the account under the assumption that the password was guessed.  What would be even more secure is that even if a person puts in the wrong password, you still challenge them with the TOTP code.  This would prevent them knowing they guessed the password correctly.

Now lets look at a system where we only use a TOTP code and no rate limiting.  As we already said you have 1,000,000 possible values.  Lets say some hacker wants to gain access to your system but the TOTP code changes every 30 seconds.  Well first lets say they just guess 1 code per second, a VERY slow timing for hackers.  This means they only get 30 chances before the code changed, so they have a 30/1,000,000 chance of guessing correctly.  But the code changed, assuming the code is still just as random as before, they guess those same 30 codes again.  Again they have 30/1,000,000 chances to guess correctly.  Doesn't seem like they are getting anywhere does it.  But they are, they are playing the odds.  Think of it as rolling a die, you can always guess that you'll roll a 1.  You will probably be wrong on the first try, but you might be right.  After 4 rolls you have a pretty good chance of having guessed right once.  After 6 or 7 rolls its very likely that you have guessed correclty.  This is the same thing.

The Math

Keeping with the die rolling method, lets see how these probabilities work.  Your first instinct may be to say well its 1/6 each time, so multiply 1/6 over and over.  Thats actually the odds of guessing it right every time.   To make things easier to the reverse.  What is the chance that you guess WRONG every time.  On the first roll is 5/6 (83%).  The probability of getitng it wrong a second time? 5/6 * 5/6 (69%).  After 4 Rolls you are at (48%) now you passed the fifty percent mark and you are likely to have guessed it correctly.  By 7 rolls you are at only about 28% chance of still guessing wrong.  Now because of this, you will never get to a point when you have DEFINITELY guessing correctly, but by 24 rolls or so, you are down to about 1% chance of still being wrong.  What is interesting is the point at which you pass that halfway mark, 4 rolls.  At this point things are in your favor.

Lets extend things out a bit more and say this hacker kept guessing the same 30 values 33,333 (about 1,000,00/30) times.  At this point the odds are quite good that they guessed the code correctly once and gained access (works out to about a 63% chance of guessing right).   They haven't for sure, but the odds are on their side.  Now after 1,000,000 seconds they should probably have guessed your code and gained access.  How long is that?  1,000,000 seconds works out to about 11 and a half days.  Now as I said 1/second is very slow for a hacker.  maybe they figure out how to do 10 / second and they just cut it down to just over a day to get access.  at 100 / second and they should have access in just under 3 hours.  That doesn't sound so secure to me.  Remember thats not for sure, they could keep trying those same codes and never gain access, they could gain access on the first try, but we are looking a probability.

Rate limits

One of the traditional methods to make brute force attacks infeasible is to use rate limiting.  This is where once a person guessing the password wrong you make them wait a time before they can guess again.  If you drop it down to 1 per second, and we said it would take them 11.5 days.  Drop it to every 30 seconds and its about a year.  But is it really that good still.  When you rate limit you are saying that the search space is large enough to make it highly unlikely for the password to be guessed.  One in a Million sounds like a low chance but if you compare to the case of using a mix of upper and lower case letters, nummbers, and symbols we described earlier and you have 1 in 722,204,136,308,736.  Now that is what I would call unlikely.  If you use TOTP for a second factor, you are basically multiplying that value by a million, so 1 in 722,204,136,308,736,000,000 (1 in 722 Quintillion)... No one is getting in any time soon.  Also most bank sites now require you to change your password every 6 months or so.  Talk about security!

The practical bits

So are there ways to completely skirt the issue?  Sure, after so many incorrect tries, you lock the account or you shut off access using that method, etc.  But there is a certain amount of user experience you have to consider.  Is it really that sane to have only a few tries cause an account to get shut off.   People have started to set their phone to wipe itself after 3 or 4 incorrect password attempts only to regret it when a family member tries to get in to play a prank (or worse yet a child gets a hold of it).  Plus lets say you lock off the TOTP method after a few tries and reactivate when they put in a real password.   Well now the TOTP is really just a hassle since its only active once in a while.  Plus its still the best attack vector for someone to gain access.   Security isn't a joke, just don't use TOTP alone, only after a first password challenge.

(This was hastily composed on the train last night with a small bit of editting this morning, I would be glad to hear comments)

this explanation makes me think TOTP is just adding 6 digits to your password to make brute forcing harder, not really providing a second factor ...