I recommend authenticator app developers to validate the data from the QR code, check if the app supports the mode encoded in it and give the user a descriptive error message if it detects a setting which the app does not support. Sites providing TOTP as a two-step verification method usually require the user to provide one token to prove that it has saved the TOTP parameters, the device has correct time and so on so there is no risk that these shortcomings would lock out users from their accounts, but there is a risk that a user would skip two-step verification if the setup process fails. Instead they assume the standard settings and generate tokens based on that, giving wrong tokens, no error messages and a bad user experience. My investigations show that many common mobile authenticator apps accept QR codes for hash algorithms, periods and number of digits they don’t support. Varying the number of digits is not mentioned in the TOTP standard apart from in the Java reference implementation, but it’s mentioned as an extension in the underlying HMAC-Based One-Time Password Algorithm (HOTP) standard ( RFC 4226) in Appendix E.1:Ī simple enhancement in terms of security would be to extract more digits from the HMAC-SHA-1 value.įor instance, calculating the HOTP value modulo 10^8 to build an 8-digit HOTP value would reduce the probability of success of the adversary from sv/10^6 to sv/10^8. The digits parameter may have the values 6 or 8, and determines how long of a one-time passcode to display to the user. The HMAC-SHA-1 hash function is the default but HMAC-SHA-256 and HMAC-SHA-512 are also allowed. The QR code encodes text on the so called Key URI format as per a Google Authenticator wiki article: TOTP standard recommends a default time-step size of 30 seconds. The de-facto standard is to transfer TOTP parameters including the secret (key) using a QR code. Bitwarden Password Manager (required premium account for TOTP support).I have compared the following TOTP apps for the mobile platforms Android and iOS: The method is called Time-Based One-Time Password Algorithm (TOTP) and is standardized in RFC 6238. You probably use an “authenticator app” such as Google Authenticator to enable two-step verification (sometimes called two-factor authentication, 2FA, or multi-factor authentication, MFA) for an online account. This year I’ve included seven (7) new apps however. Not much has changed in the tested apps since then. This year I don’t write comments on the individual apps and I don’t include any screenshots. If you’ve recently read it or you are just interested in the results in this 2023 edition, you might want to skip to the Tested Apps section. Most of the text, like an introduction to the concepts, is copied here so there is no need to revisit unless you are interested in the apps’ support back then. So this is an update to the blog post I published in July 2019 called Many Common Mobile Authenticator Apps Accept QR Codes for Modes They Don’t Support. I felt I needed to refresh my TOTP algorithm support investigation from 2019 before the recording of the next episode of the Bli säker podcast. Last week my favorite IT security podcast Bli säker ( Become Secure in English) published the episode The Epochalypse and the QR Code (only in Swedish) where they explained the techonology behind mobile authenticator apps. Mobile Authenticator Apps Algorithm Support Review - 2023 Edition
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |