undefined | Better HN

0 pointsrpadovani4y ago0 comments

> In those cases, at the very least always prompt for 2FA for accounts that require it, regardless of if password auth succeeded or not. Don’t tell the user if it was the password or TOTP code that failed.

This still leaks that the account exists and has TOTP enabled tho.

You have to choose if leaking the correctness of the password, or allowing DoS of a login, unless all the accounts have the same MFA.

0 comments

duskwuff4y ago

> This still leaks that the account exists and has TOTP enabled tho.

You could mitigate that by prompting for an OTP code on a random but stable subset of nonexistent accounts -- for example, by hashing the provided username with a server-side secret and requesting an OTP if the hash starts with a zero.

3np4y ago

First time I see this idea - I like it!

3np4y ago

Yes, maybe I should have made that compromise more clear. The alternative I see would be to enforce some form of 2FA for all accounts and always prompt for 2FA. Depending on the system it may make sense.

It’s still way better than leaking a successful password auth.

j / k navigate · click thread line to collapse

0 pointsrpadovani4y ago0 comments

This still leaks that the account exists and has TOTP enabled tho.

You have to choose if leaking the correctness of the password, or allowing DoS of a login, unless all the accounts have the same MFA.

0 comments

duskwuff4y ago

> This still leaks that the account exists and has TOTP enabled tho.

3np4y ago

First time I see this idea - I like it!

3np4y ago

It’s still way better than leaking a successful password auth.

j / k navigate · click thread line to collapse