The Vulnerability of TOTP in Multi-Factor Authentication (MFA)
Recently I came across an article mentioning that Time-Based One-Time Password (TOTP) can be brute-forced in less than 3 DAYS. This article explores more on that and how we can prevent it.
TOTP is a widely used method for two-factor authentication (2FA), providing an additional layer of security by requiring a numeric code generated by an app on the user’s phone. However, recent discussions and analyses reveal significant vulnerabilities in TOTP implementations, particularly concerning brute-force attacks.
Brute-Force Feasibility
Michael Fincham’s article highlights that brute-forcing TOTP codes is surprisingly feasible if the implementation lacks proper rate limiting or account lockout mechanisms1. Attackers can make numerous guesses without facing penalties, potentially bypassing the TOTP requirement within hours or days.
Luke Plant’s analysis supports this, demonstrating that a six-digit TOTP code can be brute-forced in as little as three days under conservative assumptions2. The lack of throttling or account locking significantly increases the risk, making it easier for attackers to succeed.
Prevention and Best Practices
To mitigate these risks, several best practices are recommended:
- Rate Limiting and Account Lockout: Implementing strict rate limiting and account lockout policies can drastically reduce the chances of successful brute-force attacks
- Monitoring and Alerts: Continuous monitoring of login attempts and alerting users of suspicious activities can help in the early detection of brute-force attempts
- Adaptive Authentication: Using adaptive authentication methods that adjust security measures based on the risk level of the login attempt can provide an additional layer of protection4.
Conclusion
While TOTP remains a popular choice for 2FA, its security heavily depends on the implementation of protective measures against brute-force attacks. Ensuring robust rate limiting, account lockout, and continuous monitoring are essential steps to safeguard against these vulnerabilities.
1: https://pulsesecurity.co.nz/articles/totp-bruting 2: https://lukeplant.me.uk/blog/posts/6-digit-otp-for-two-factor-auth-is-brute-forceable-in-3-days/ 3: https://security.stackexchange.com/questions/214307/totp-brute-force-prevention?noredirect=1&lq=1 4: https://security.stackexchange.com/questions/145604/best-practices-for-handling-wrong-totp-tokens/145606