Reasons why U2F is better than TOTP (one-time password)
· Follow
Published in · 6 min read · Oct 28, 2016
There can never be enough security. On the other hand, using faulty or weak protections may merely make you feel safe while you remain exposed to various threats.
Using passwords only is generally a bad idea, something we have known since the beginning of the Internet. We are making progress toward a password-free world, but in the meantime, many websites offer an additional user account protection with Two-Factor Authentication (2FA).
In general, there are two types of 2FA implementations: Time-based One-time Password (TOTP) and Universal Second Factor (U2F). You may be familiar with the former, as it is the most commonly used 2FA: at login, you have to enter a one-time code generated by your phone app, a dedicated hardware device, or sent to you via SMS. While simple, there are several shortcomings to this method.
Time-based One-time Password (TOTP), popularized mainly by Google Authenticator, verifies your identity based on a shared secret. This secret must be shared online between you and the provider.
When logging into a website, your device generates a unique code based on the shared secret and the current time. Then you have to submit this code manually. The server generates the exact same thing, based on the same secret, to compare and validate the login request.
Why Is TOTP Inadequate?
While TOTP is very simple to use, it has weaknesses and inconveniences.
- You have to manually input the code at logging in, adding another step to the process.
- Backup is cumbersome. You have to take additional steps to back up the secret. Also, the services often offer reserve codes instead of explicitly suggesting to save the secret. If you lose your secret and log in with a reserve code, you will have to redo the entire TOTP registration process again.
- Backup codes are sent online, which is often insecure.
- You and Provider share the same secret. If an attacker hacks into a company and gains access to both the password and the secrets database, he/she will be able to access every account completely unnoticed.
- The secret is displayed in plaintext or QR code. It cannot be provided as a hash or with a cryptographic salt. This also means that the secret is most likely stored in plaintext form, on the servers of the provider.
- The secret can be exposed during the registration, as the provider has to give you a generated secret. By using TOTP, you have to trust the providers to be able to protect the secret. But can you?
The U2F standard by the FIDO Alliance was created by technological corporations, such as Google and Microsoft, recognizing the weaknesses of TOTP. U2F uses public-key cryptography to verify your identity (Reddit — Explain Like I’m Five). In contrast to TOTP, you are the only one to know the secret (the private key).
Benefits of U2F
- No shared secret (private key) is sent over the internet at any time. No confidential information will ever be shared, thanks to public-key cryptography.
- Easier to use. No retyping of one-time codes involved.
- Privacy. No personal information is associated with the secret.
- Backup is theoretically easier. Though, not always possible. E.g., you cannot back up a Yubikey.
Because with U2F, there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users, and that is much more costly and time-consuming.
Moreover, you can back up your secret (private key). On the one hand, it makes you responsible for your security, but it also means that you do not need to trust any company to protect your secrets (private keys).
Trezor is a small dedicated device designed to store private keys and to serve as an isolated computing environment. Originally invented as a secure Bitcoin hardware wallet, created to protect money, its uses have expanded thanks to the wide applicability of asymmetric cryptography. Trezor can now serve as a hardware security token for U2F, but with backup/recovery functions and convenience, which no other product can compare to.
How Does U2F With Trezor Work?
When logging into a website, you generally authenticate yourself by providing a user name and a password. With Trezor and U2F, you will have to additionally confirm the login with a click on your Trezor device.
Unlike some other tokens, Trezor always uses a unique signature for each and every user account registered. Additionally, Trezor brings U2F to a completely new level:
- Easy to back up and recover. Trezor requires you to back up your so-called recovery seed during the initial setup of the device. This is a one-time process for all functions of the device. The recovery seed represents all the secrets (private keys) generated by the device and can be used to restore your hardware wallet at any time.
- An unlimited number of U2F identities, that are all saved under one backup.
- The secret is safely stored inside Trezor. It will never be shared, as it can never leave the device. No viruses or hackers can access them.
- Phishing protection with on-screen verification. Trezor always displays the URL of the website you are logging into, and what exactly you are about to authorize. You can verify that what was sent into the device is, in fact, what you expected.
- Additional information on setup, use, and recovery of Trezor for U2F can be found in our blog post here or in the User Manual.
The safe characteristics of asymmetric cryptography fall into the security philosophy of Trezor. With the U2F support in Trezor, we encourage users to employ all measures available to secure their accounts and identity online.
Interesting Articles:
Here’s How an Attacker Can Bypass Your Two-Factor Authentication
Adding a phone number to your Google account can make it LESS secure
Centralized versus Decentralized Networks
Created by SatoshiLabs in 2014, the Trezor One is the original and most trusted hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, and serves as the second factor in Two-Factor Authentication. These features combine with an interface that is easy to use whether you are a security expert or a brand new user.
Trezor Model T is the next-generation hardware wallet, designed with the benefits of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.
As an enthusiast deeply immersed in the realm of cybersecurity, particularly in the domain of Two-Factor Authentication (2FA), I'm here to shed light on the reasons why Universal Second Factor (U2F) triumphs over Time-based One-time Password (TOTP). My expertise stems from a comprehensive understanding of cryptographic protocols, security vulnerabilities, and a keen awareness of industry developments up to my last training data in January 2022.
The article in question, penned by SatoshiLabs and published on the Trezor Blog, delineates the nuances of TOTP and U2F. TOTP, a widely adopted 2FA method, relies on shared secrets and time-based codes generated by devices like Google Authenticator. However, it is not without its drawbacks. Manual code input, cumbersome backup processes, and the vulnerability of shared secrets are highlighted as shortcomings.
U2F, championed by the FIDO Alliance with the backing of tech giants like Google and Microsoft, emerges as the superior alternative. Here's why:
-
No Shared Secrets Over the Internet: U2F utilizes public-key cryptography, ensuring that no private key is sent over the internet. This significantly enhances security, as there's no risk of a shared secret being intercepted during transmission.
-
Ease of Use: Unlike TOTP, U2F eliminates the need for retyping one-time codes, streamlining the authentication process.
-
Enhanced Privacy: U2F doesn't associate personal information with the secret, preserving user privacy.
-
Theoretical Ease of Backup: While not always possible (e.g., with Yubikey), U2F theoretically offers easier backup options. Users can be responsible for their security without having to trust third-party providers.
-
Individual User Targeting: Unlike TOTP, where a compromise can lead to widespread unauthorized access, U2F necessitates attackers to target individual users, making it a more challenging and time-consuming task.
The article emphasizes the implementation of U2F with Trezor, a hardware wallet initially designed for secure Bitcoin storage. Trezor's U2F support adds an extra layer of security, ensuring private keys never leave the device, and offering features like easy backup, recovery, and on-screen verification to prevent phishing attacks.
In conclusion, my in-depth knowledge of cryptographic principles and the intricacies of 2FA reinforces the argument put forth by the article—U2F stands as a more secure and user-friendly alternative to TOTP in the ongoing quest for robust online identity protection.
