Two-Factor Authentication (2FA)

It is often desirable to supplement single-factor “what-you-know” credentials with additional “what-you-have” credentials to avoid security breaches when “what-you-know” credentials are compromised. The “what-you-know” credentials often suffer from mass compromises (for example, thousands of account passwords are leaked in a single security breach), while the “what-you-have” credentials are typically less vulnerable to mass compromises (which can still happen).

One-time passwords (OTP) are commonly employed to mimic the “what-you-have” factor due to their simplicity. We say “mimic” and not “provide” because not all OTP schemes are true “what-you-have” factors, but they are often good enough as long as their limitations are understood.

The key distinguishing feature of all OTP schemes when compared to the “what-you-know” schemes is limitation on or prevention of credential replayability. Some OTP schemes use symmetric cryptography with shared secrets known to both communicating parties. Some OTP schemes use asymmetric (public-key) cryptography with private key on the client only. Some OTP schemes are challenge-response-based, with the server issuing an unpredictable challenge to the client, and the client returning a signed challenge to the server.

HOTP

The HMAC-Based One-Time Password scheme (HOTP) is a widely adopted open standard for OTP authentication. HOTP requires a shared symmetric secret and is event-based, where the “event” is an integer counter value incremented on each OTP generation and maintained by both client and server.

TOTP

The Time-Based One-Time Password scheme (TOTP) is an extension of HOTP that uses current time instead of an incrementing counter to limit replayability. The main advantage of TOTP over HOTP is that TOTP passwords are short-lived, while HOTP passwords can potentially be valid for a long time. TOTP is also easier to re-sync and allows multiple clients to authenticate against the server without any additional server-side complexity.

Both HOTP and TOTP schemes are based on a “long-term” symmetric secret key shared by client and server, which results in several important security implications:

• The secret key can be compromised on either the client or the server (two attack points).
• The prover and verifier roles are not mutually exclusive—the server can impersonate the client.

This last point also implies that single-client-multiple-server HOTP/TOTP deployments would not work if all servers do not have full mutual trust.

TOTP requires both the client and the server to know the current time, which might be a challenge for clients that lack time-tracking capability (such as externally or intermittently powered devices like USB tokens). In such cases the current time is typically provided to the client by the server as a “challenge,” which the client combines with its secret key to produce the TOTP response. This is how YubiKey supports TOTP. One downside of sending challenges to the client is that the client typically has no way of authenticating these challenges as legitimate.

Remember that one of the fundamental goals of leveraging OTP schemes is to mimic the “what-you-have” factor. If we can easily trick the TOTP client into generating a valid response for any value of “time,” then physically possessing the TOTP client will no longer be necessary to have a valid TOTP response for some “future” time, which will negate the very purpose of using an OTP scheme like TOTP. This implies that challenge-based TOTP clients should either never leave their owners or be immediately re-keyed after returning to their owners.

Powered mobile devices capable of timekeeping are ubiquitous and are ideally suited for TOTP. Intermittently powered mobile devices without timekeeping ability can still keep a counter and are better suited for HOTP.

U2F

Universal 2^nd Factor (U2F) is a relatively recent challenge-response authentication standard that uses specialized hardware devices (such as USB or NFC tokens). The key improvement of U2F over other two-factor methods is phishing and MITM protection. Modern web technologies coupled with a bit of social engineering make it very difficult for a casual user to be able to spot and comprehend the difference between an authentic destination (like Gmail.com) and an impostor site that looks identical. However, the user agent (“the browser”) does know the difference and can distinguish different destinations even when the user cannot.

The biggest hurdle for U2F’s adoption is that not all browsers have U2F support yet. However, despite its young age, U2F appears to be open enough, secure enough, and convenient enough to become the dominant OTP alternative.