undefined | Better HN

0 pointsstevekemp7y ago0 comments

It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

With that in mind a TOTP solution probably won't help, most systems that use 2FA will allow two adjacent codes to be considered valid to cope with "minor" clock-drift. If you're already using the computer 1 minute after the real owner has left it is possible you could reuse any valid code - if you captured it.

0 comments

leni5367y ago

Allowing adjacent codes and accepting the same code twice is not the same. I would be surprised if TOTP allowed for accepting the same code twice.

e12e7y ago

I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.

In general you should store the most recently accepted counter (or epoch timestamp) and never allow travel back in time. That allows for clock drift, if the time between authentication attempts is less than the otherwise accepted drift.

angry_octet7y ago

Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.

leni5367y ago

> but also because otherwise the user could be locked out for 60s.

I don't see this. Note that it's not about rate limiting unsuccessful attempts (which obviously should be done to some extent) but not allowing the valid OTP to be used twice. In the worst case once the user logged in he can't login from an other device for 60s. Not a huge limitation. Also AFAIK 30s rotation of the OTP is more common/standard.

_verandaguy7y ago

>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.

RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).

j / k navigate · click thread line to collapse

0 comments

leni5367y ago

Allowing adjacent codes and accepting the same code twice is not the same. I would be surprised if TOTP allowed for accepting the same code twice.

e12e7y ago

I wouldn't be surprised... Seeing how bad we generally are at infosec. But it'd definitely be against a sane totp spec to allow a "one time pass" more than once.

angry_octet7y ago

Typically this is allowed. Probably because otherwise the server would have to store and compare state, but also because otherwise the user could be locked out for 60s.

leni5367y ago

> but also because otherwise the user could be locked out for 60s.

_verandaguy7y ago

>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.

RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).

j / k navigate · click thread line to collapse