TOTP is not true 2FA

Recently, I’ve been thinking about TOTP and how to use it. I’d like to start a discussion about how useful it actually is. Forgive me for the wall of text, but I’ll include a TL;DR at the bottom.

1. I don’t think TOTP is really 2FA at all.

The three factors are:

  • something you know (e.g. password)
  • something you have (e.g. FIDO2 security key)
  • something you are (e.g. biometrics)

I would argue that if a secret can be copied, then it isn’t “something you have” because proving you have the secret doesn’t prove you physically possess some device/item. Under this definition, a security key implementing FIDO CTAP1/U2F or FIDO CTAP2 counts as “something you have”, but a password written down on paper doesn’t (since anybody could steal the password without stealing the paper).

Even if a TOTP secret is received without being intercepted and stored only on a security key, it does not fully count as “something you have” because the TOTP secret is shared by both the security key and the authenticating server. Therefore, proving you have the TOTP secret doesn’t prove you have the security key.

And although the TOTP secret is never transmitted during authentication, that only really protects you against MITM attacks (e.g. replay attacks) and phishing attacks, which are already mitigated by HTTPS and URI matching, respectively. Sure, TOTP could provide a small amount of additional protection against phishing, but it’s not much if you already take other precautions.

So TOTP is basically having a second password, not a second factor.

Note: I don’t include IRL surveillance as part of my threat model, but as long as you are careful about where you type your passwords, even that threat is significantly reduced.

2. Consequently, TOTP only meaningfully improves security if stored on a separate device.

Let’s say you store your passwords and TOTP secrets in separate vaults synced via different providers.

It would certainly be more difficult for an attacker to breach both providers (and the attacker wouldn’t necessarily know which pair of providers you use). However, I think that any provider trusted with your passwords should be trusted to notify you quickly enough in the event of a breach that you’d have time to change all your passwords before your vault could be cracked (as long as you use a good master password).

Therefore, the main concern I have is that one of my devices could be compromised. In that case, even having two vaults with separate and strong master passwords doesn’t provide any benefit. If the attacker has unencrypted access to one vault, then it stands to reason they have unencrypted access to both. Furthermore, doubling the cracking time is equivalent to only ONE additional bit of entropy, so adding a second vault for the attacker to crack doesn’t help.

TL;DR: TOTP isn’t really 2FA and storing your password and TOTP vaults on completely separate devices is required to see significant security benefits. But even then, it’s not as much of an improvement as using true 2FA.

Furthermore, if you do choose to separate your passwords and TOTP secrets in the name of security, then you should never store passkeys within your password manager, since that is just as risky.

And that’s not even getting into the fact that there’s not much 2FA support for encryption. LUKS supports the FIDO HMAC Secret Extension, but a Bitwarden vault only has 2FA for authentication (i.e. getting a copy of your vault from Bitwarden’s servers), not for encryption. If an attacker has your vault, they only need to crack your master password and no longer need to worry about your 2FA.

2 Likes

Sure, it’s not perfect. Getting to perfect security levels with ease that typical users or my parents can use without much friction is nearly impossible.

RSA had a huge business selling dongles that displayed a TOTP and rotated. As a small device, certainly it was an extra level of security. Usually they were attached to one’s keyring.

I recall hearing horror stories of early users who used Google Authenticator who lost their phone also lost their TOTP secrets. Thus backup codes.

Current TOTP use certainly has some caveats as you noted. I still see immense value of their use. If used on your key email services/accounts, it can certainly lessen the chance of losing your account due to a weak password or other compromise, including release of username/password combinations that end up on the dark web and sites like HIBP.

1 Like

I get what you mean! It’s undoubtedly better than nothing, especially for those who reuse passwords or use weak passwords. Adding a unique 160-bit password (32-character base32 TOTP secret) is a spectacular improvement for somebody who would otherwise be reusing a weak 40-bit password.

I think my main point is that TOTP doesn’t provide much inherent benefit. If providers allowed for two passwords, you could gain the same benefits that you do from most modern TOTP implementations.

If you have separate password and TOTP vaults on your phone, you gain no additional security if your phone becomes compromised. Similarly, if you have both vaults on your computer, you gain no additional security if your computer becomes compromised.

There is some benefit in a situation involving only one device being compromised, but only if that compromised device contains at most one of your vaults.

Those RSA SecurID dongles do count as separate devices, although I doubt many people around here use them.

But if you sync separate password and TOTP vaults to all of your devices and don’t want to remove the TOTP vaults from most of them, you should just combine the two vaults.

You describe some extreme cases. A gun pointed to your head reveals master password easily. For a common folks cases are simpler. As example, some service got passwords leaked and it won’t hurt you, as without 2fa code password is not enough.

2fa codes are always usefull even on one device with passwords or passkeys with passwords, etc etc. Extreme cases require other measures, but often enough the answer is about cooling down one’s paranoia level.

3 Likes

Typically if a service’s database is leaked there’s no reason the TOTP secrets wouldn’t be leaked alongside your password.

1 Like

Sure, let’s get this out of the way: Storing TOTP secrets on a separate device that doesn’t also have access to your password manager is always safer.


I’ve long maintained that TOTP provides virtually no more security than using random, unique passwords for every single website with your password manager.

However, not everyone does that, and TOTP is a simple/foolproof way to bring anyone up to that base minimum level of security, so I would still strongly recommend using it to everyone regardless of where you choose to store it.

Passkeys have significant additional benefits over both TOTP and passwords that mean you should always use them even if you store them in your password manager, as opposed to not using them at all.

3 Likes

Storing secrets with passwords in a single database is not good for one single reason. About entire database got leaked, otherwise it is ok. If some service leaked your password that does not matter if secret and passwords are stored together or not.

That is just another case. With entire database leaked it makes sense to have passwords and secrets stored separately and even better if they are stores on different devices. One leaked database is mostly useless without another.

I repeat the most common case. If some service password got leaked, and this happens all the time and will happen again and again. There is no difference how your passwords and secrets are stored. Zero difference.

1 Like

I don’t think I described any extreme cases! Like Jonah said, TOTP secrets would be leaked any time your password hash is since they must be accessible to the authenticating server.

I think what myself and Jonah mean is that TOTP is basically just a password. It’s far more secure than your average password at 160 bits, so it’s not bad in any way, it’s just not doing anything for you if your password is already sufficiently complex.

A typical attack against your password vault is going to get to your TOTP vault as well, if they’re both stored on the same device. I mentioned you only gain 1 bit of entropy from splitting everything amongst two vaults. This is because every bit of entropy doubles the number of possibilities. If you have a 10-bit password, then an attacker only needs at most 2^10 (1024) guesses to crack it. An 11-bit password would require at most 2^11 (2048) guesses. As you can see, 1 bit doubles the number of guesses it could take.

So if you split your passwords and TOTP secrets into two vaults protected by similarly complex passwords, that means an attacker would need to spend twice as long cracking. As explained above, that only amounts to 1 extra bit of entropy, which isn’t important when your password is already 80+ bits.

Your password should be strong enough that halving the time required to guess it still doesn’t help an attacker. If an attacker can crack one vault in a reasonable amount of time today, then they need only wait a couple of years to be able to access both (or spend twice as much money today).

Sorry if the part about passkeys was poorly written. I fully agree that passkeys come with upgrades over passwords and TOTP.

However, if you refuse to store passwords and TOTP secrets together in the name of security, then you shouldn’t store passkeys in your password manager, either. Although passkeys do come with security benefits, even in this situation, they also reduce your security in other ways if you would otherwise be storing passwords and TOTP secrets separately. If those other ways are very important to you and your threat model, then I think they should be important to you when it comes to passkeys too.

Wait… You describe 2 passwords, and passwords + 2fa is not the same. If an attacker has the phrase itself than yes, it is like a password. But TOTP is a code, which is changed shortly, you can not bruteforce neither the code, neither the phrase. That is big difference.

I agree with what you said earlier: storing passwords and TOTP separately would make it way harder for an attacker to gain access to both should you be worried about your vaults being stolen from your providers’ servers.

However, I don’t think storing your passwords and TOTP together carries much real-world risk if you are using a reputable provider. And like you said, there’s not much benefit to separation if you are worried about your vaults being stolen from your own device.

It really all comes down to your threat model.

I would agree with Jonah that TOTP doesn’t really do much for somebody who properly uses a password manager, but does have plenty of benefits for your average internet user.

1 Like

Please read the first section of the OP! TOTP is not really 2FA, and that is why it is basically a second password. TOTP carries no inherent benefit that could not be achieved by just having a second password.

Brute-forcing a TOTP secret is exactly as difficult as brute-forcing a 160-bit password. It’s not possible to brute-force a 160- bit password in a reasonable amount of time with today’s technology, but if it were, TOTP would be just as easily cracked.

I see. But with every brute force attempt to the phrase you also need to brute force all the codes during 30 seconds. Websites usually won’t allow you after 3rd wrong code? That is why I believe phrase is not like a second password.

An attacker can brute-force the TOTP secret offline. Knowing a TOTP code and when it was sent is equivalent to knowing a password hash.

Brute-forcing all 6-digit codes is way easier (~20 bits of entropy), but obviously not practical, like you said.

But you can not know totp code without the phrase?

If you mean the code generated and sent to email or SMS than I am not sure how you can use these info to brute force the phrase and generate such codes yourself. Is it possible? Somehow I doubt it.

Also I do not know any service using two passwords. Maybe ProtonMail, but they stated this method is outdated. Brute-forcing two passwords will take more time, brute-forcing password and 2fa does not seems to be possible at all. So I still do not get how calling 2fa is same as 2nd password.

I would definetly keep most totp phrases in Bitwarden to login effortlessly. As I do not use premium this is pointless and storing phrases with passwords makes zero sense. Storing phrases themselves is not even needed at all, 2fa app stores them allready.

Essentially, TOTP works by taking a timestamp and a secret (i.e. a password) and running them through a special function that outputs a 6-digit code.

If you have the timestamp, then you could theoretically brute-force the secret, just like you could brute-force a password from a password hash. However, there are collisions, since there are 2^160 possible secrets but only 2^20 possible codes. This means you’d need multiple TOTP codes from the same TOTP secret to do this reliably. I don’t know if there’s any work showing exactly how many intercepted TOTP codes you’d need, but there’s a chance you’d only need two.

Furthermore, like I said above, doubling the time it takes to crack a password (such as by using two passwords) only adds 1 bit of entropy. Two passwords is therefore not much more secure than one, provided they’re both strong passwords.

So while brute-forcing TOTP is technically more difficult due to collisions, it’s not all that different from brute-forcing passwords. Keep in mind that at 160-bits of entropy, this is all theoretical, since nobody is cracking a TOTP secret or password with an entropy that high, at least not any time soon.

I’m unaware of any breach containing TOTP seeds, even encrypted ones. Can you point to one?

The same applies to biometrics, which can be copied with no ability to generate new credentials. High-assurance is the best you can do; no solution is perfect. I don’t think that precludes them from being considered second-factors.

It will happen for probably most smaller sites which are breached, because most web-service software just uses one database for everything. Furthermore, TOTP seeds can’t be hashed, so they are even less secure than how most companies are storing passwords in the event of a data breach. Here’s one example, and note that interestingly Have I Been Pwned never includes 2FA secrets in the “compromised data” section of their Pwned websites database even if those secrets were compromised, so it is a little hard to tell :thinking:

Actually, this is a solid argument that passwords and TOTP codes complement each other well, because they do different things:

  1. Passwords are transmitted to the server in plaintext, but they’re stored as hashed values (ideally) so they are not exposed in data breaches.
  2. TOTP codes can be intercepted in transmission, but the underlying secret is generally stored by the server with reversible-encryption or plaintext making them much more susceptible to data breaches.

So if a data breach occurs, a strong & unique password protects you and TOTP codes won’t, and if your network traffic is compromised then TOTP codes protect you and your password won’t :slight_smile:

Some more info about this:

3 Likes