This post is a follow-up on the previous post about how I can use open source software for Time-based One Time Passwords (TOTP), also referred to as OTP in many cases. As shown in the previous post, TOTPs are generated from a common secret that is stored on the client and the server. And that is it’s weak point! If credentials are stolen on the server side, the common secret goes with it. If the attacker is then able to decrypt the hopefully ‘salted‘ password, the common TOTP secret is readily available and the game is lost. So what is TOTP good for then?
Protection From Ransomware Using Stolen Passwords
To a certain degree TOTP is useful if a username and password pair is stolen from the client side, e.g. by ransomware that was installed in some way which then extracts passwords and sends them home. If the common TOTP secret is stored and generated on another device, the username/password combination is worthless for an offline attack. To be successful, the attacker would have to get the one time password by tricking the user to generate one in real time. Not impossible, but it requires some effort that might not be worth it to the attacker.
Protection Against Password Re-Use Across Sites
TOTP also protects those that use the same password across many sites. If stolen from one site, it becomes worthless on another site that uses TOTP, because the username/password combination alone won’t work on that other site. That doesn’t help me much personally, as I use randomly generated individual passwords per site.
Protection Against Phishing
Also, TOTP protects against attacks that try to get the username/password combination for a website with a phishing attack, i.e. an email that sends the user to a replica of the real website. Not much protection for me personally again, as the first rule is never to click on links in emails which lead to username/password sites. Also, I use a password vault which only autofills username and passwords when the correct domain name is used. I NEVER enter usernames and passwords on web pages manually, unless I have made sure beyond doubt that I’m talking to the real website and only after careful examination why autofill has not worked. This should theoretically never be necessary, but I’ve had several occasions in the past where a web service has changed the domain name for the login process, in which case the auto-fill function rightly refuses to supply the password. Such web site changes are a no-no these days from a security point of view, but it seems not every company has understood the mess they create with this.
Summary
Anyway, long story short, the main scenario TOTP protects me from is if one of my devices gets infected with ransomware, spyware or whatever you want to call it and is able to extract passwords from my password vault. For the other scenarios I have other defenses in place so I wouldn’t strictly need it there. But then, it’s always good to have an added layer of security in place as long as the balance between security and usability remains in place. And with TOTP, at least for me, it does in the majority of use cases I have today.