Ask HN: Why don't more apps use OTP as the first factor?

7 pointsby theschmedalmost 5 years ago

Hi,Is there a reason besides inertia why most applications that require authentication use a secret like a password for the primary factor, rather than using a OTP app?For context about me: I am pretty new to programming, learning web application development. So maybe this would be a Very Bad Idea, and I just don't know why yet!But it seems to me that some advantages of using a OTP would be:1. It would be easier to temporarily grant someone else access to your account - as long as the app gives you a way to log out all other sessions and reauthenticate2. It would remove the burden of remembering/managing unique passwords from the user

6 comments

gpapilionalmost 5 years ago

Otp apps require a device or a token. Requiring this removes the ability for a user to get in if their phone is dead, or lost. The support burden is also higher for a reset. Nothing is a show stopper, but also painful enough to prevent wider adoption.Back in the old days you used to get single use passwords for secure system. This creates a similar problem, where loosing the sheet meant you needed new passwords.

评论 #23396402 未加载

bruce511almost 5 years ago

An OTP falls into the "something you have" category[1] whereas passwords are in the "something you know" category.Things you have are generally less convenient than things you know - which is why they're typically the 2nd factor, not the first factor.[1] I'm assuming you need something to tell you the OTP - that you haven't memorized them all.

gtstevealmost 5 years ago

For example, there are 999999 combinations for TOTP. You might not be able to get through all those combinations in 30s but you could probably get through enough to give you a good chance of access on a long enough timeline.So, you lock out IP addresses. The attackers move to using a botnet.So, you lock out specific accesses to an account. The attackers can't move forward now but they can quite easily and cheaply deny access to a given account indefinitely.So when implemented correctly, with a strong enough password policy and a way to introduce delay, i.e. with bcrypt2 and IP address locking, etc, 2FA makes it more difficult. The time to access is considerably longer for an attacker.Of course, you've got similar problems with a password and a second TOTP but you've increased the difficulty level massively as the attacker must now have a working password before they can work on the 2FA dialog. At this point, you can easily spot suspicious behaviour and warn users, etc.

评论 #23396613 未加载

gabrielsrokaalmost 5 years ago

I think Okta can do (something like) this: <a href="https://help.okta.com/en/prod/Content/Topics/Security/mfa-factor-sequencing.htm" rel="nofollow">https://help.okta.com/en/prod/Content/Topics/Security/mfa-fa...</a>

muzanialmost 5 years ago

It also means one point of security. Anyone with my phone has access to the OTP as well.

Raed667almost 5 years ago

Most users don't even know what an OTP is.