måndag 25 juli 2016

Two-factor authentication with TOTP applications

Many websites and online services offer two-factor authentication (2FA) using SMS or using a Time-based One-Time Password (TOTP) application (some services also offer an email link, but I will not cover it here, although it also adds security in a similar way).

It is highly recommended to use two-factor authentication to sign in to websites. It adds one layer of information besides the password, which makes signing in to online websites a bit more secure. The only way someone can get into your account is if they acquire both your password and the secret key on your phone.

I prefer TOTP over SMS, because SMS is sometimes more unreliable and slower. (I won't discuss which method is more secure; there are potential vulnerabilities in both use cases depending on device and platform)

Time-based One-Time Password

A Time-based One-Time Password algorithm calculates a one-time password from a shared secret key and the current time. It is a standard described in RFC 6238. It requires that the user saves a secret key on a device, typically a smartphone. Some offer this as a QR code that can be quickly scanned.

The password in the TOTP application is changing every 30 seconds, both in the client and server. You need to enter the password that is currently visible.

The good thing with TOTP is that it is a standard that can be implemented in a generic application. There are services that require the use of their own application, but in my opinion they misses the point. I like to have one single application on my phone with TOTP authentication to a lot of services. Google Authenticator is a good example that implements TOTP. There are even clients for PAM so that you can use it to add security to e.g. server authentication. I use SailOTP on my Jolla phone with Sailfish operating system. For Android, there is a FOSS app available: FreeOTP.

Sites that use 2FA


Here is a good list of sites that use 2FA. Most big online services support 2FA, like Google, Facebook, LinkedIN, Dropbox, Github etc. Note that not every of them use TOTP, but have their own implementation or use some other kind of authentication. For instance Steam have their own implementation of TOTP and you need their own client to use it (but as far as I can tell it is almost following the standard). Paypal's support for SMS 2FA is half broken at least outside of US, though. It works once it is set up, but setting it up is almost impossible due to the broken website.

Steam and TOTP

The following is not supported by Steam, but you can use Steam with a standard TOTP application if you can manually enter the secret key and it supports 5 character passwords (like e.g. SailOTP).

To add the Steam secret key to the TOTP application, you need to install the Steam client on a device first. On an android device (or on the Jolla phone Android layer), the key is located in the file "(/opt/alien)/data/data/com.valvesoftware.android.steam.community/files/Steamguard-$STEAMID" in the string "otpauth://totp/Steam:$STEAM_USERNAME?secret=$SECRET&issuer=Steam" where $SECRET is the secret key. You can add this key manually to the TOTP application.

Screenshot of the SailOTP application in Sailfish (with censored accounts and passwords of course):