(T)OTP codes should be the first factor. May 5, 2021 on webb's site

Nowadays it's not uncommon to see people using OTP, or one-time passwords. You register some program with a code (or set up your phone number/email with a service), and it will rotate a password every handful of seconds. In this post I will be referring to the use of TOTP codes, which is what is generally used when you use a 2FA app. I'm not referring to having a service text or email you a code.

OTPs are used as a second factor to your authentication. That is, you type in a password and then enter your OTP code.

Now this works great security-wise, but for most people it can be overwhelming. The process can take forever. I'm sure anyone who uses it can understand this. You need to remember or get your password, type it in, then pull out your phone and open an app, and finally type a code. The speed of getting into their accounts is precisely why people use terrible passwords in the first place.

I have a modest proposal. OTP codes should be the default, first factor of authentication. The reasons are as follows.

1. They are easier for people to use.

Telling your grandma to remember a ton of long passwords is unreasonable, and getting her to use a password manager would likely be an uphill battle. Using an authenticator app with codes layed out for every service would make it so much easier to for someone like her to understand comparatively. It's also easier to type, just six or so numbers. It makes security easy even for a child.

2. It's a more secure default

A temporary code is far safer than a password. You can post your TOTP code, and it won't compromise the security of the entire token, and outside of the five minute or so window can't authenticate anyone. It makes phishing attacks and the like far less catastrophic. Instead of saying "go change your password on every site you have ever used, and deauthenticate any evil sessions you may or may not notice", it becomes "deauthenticate the session on the compromised service".

Mobile devices (where I imagine most people would store their TOTP tokens) are lightyears ahead in terms of security against things like malware or technologically smart people. Most phones nowadays are encrypted by default, have good app isolation, and make security easy for even children. For most people having a password even typed into their computer is a massive risk. As such shifting the trust away from the computer to mobile devices would have a massive impact on security.

3. You have options.

If you want to use an offline device, go for it! If you want to encrypt your TOTP token you can do that too. TOTP tokens are about as flexible (if not moreso) than passwords.

But can we do better?

Absolutely. I think the future should be one where you're manually authenticating new sessions from a secure device. However that's not realistic right now. TOTP already has a massive userbase already, and riding off of that for security would be a godsend. Perhaps a new protocol for authenticating sessions might need to be created, and adopted in TOTP-compatible apps. Of course this should exist alongside TOTP tokens for offline authenticator support.

What are the problems?

The main one is that you can't hash the token on the server. You need a copy on your server unhashed in order for it to work. Of course this is a worthy tradeoff when you consider that you're shifting the security away from the users (who might be grandmas) to you, and reducing the harm of getting compromised. I think that's a tradeoff worth making.

Of course, as per usual I want to encourage discussion. I've created a public inbox on SourceHut, so you can email me and have a discussion. You can find it here.