You need it on your phone now! A Guide to 2FA with TOTP | by Christophe Lam | The FOSS Albatross | August 2022

You’ve probably heard of 2FA in the cybersecurity community or even in the media as an important step in protecting your accounts. All the time, people and businesses fall victim to various hacks that could have been prevented if only they had 2FA enabled. But what is 2FA and why is it so important that you implement it now?

Introduction to 2FA

Two-factor authentication (2FA) refers to any second method, besides your usual password, by which you must prove your access to an account in order to log in. The effectiveness of 2FA lies in the principle that hackers are less likely to compromise your password and 2FA method of gaining access to your account. Essentially, even though hackers can crack your password as “password123”, they still need to somehow gain access to your phone to get the 2FA code available through the method you set up.

TOTP among other 2FA methods

Common 2FA methods include SMS, calls, emails, and TOTP. In the case of SMS, call and email 2FA, you receive a code that you must enter on a login portal for your account. However, the potential security risk lies in sending the code, which is particularly susceptible to man-in-the-middle attacks since text messages, calls and emails are not encrypted.

Meanwhile, TOTP is an independent method of generating authentication codes. TOTP is local, so it works without network access and does not rely on any other service or protocol that could be compromised. TOTP stands for Time-based One-Time Password. In a nutshell, a TOTP app on your phone can generate a unique code for authentication which is regenerated at regular intervals.

The TOTP process

1. A service provides a unique key for your account in the form of a QR code or a character string.

2. You store this unique key in a TOTP application. Now you and the service have a copy of this unique key.

3. The TOTP app combines the unique key and the current time rounded to a certain time interval (like the nearest 30 seconds) to generate an authentication code.

4. You enter this authentication code on the service connection portal. If this passcode matches the code generated by the service using the same process, you are granted access.

5. Authentication code changes at regular intervals (like every 30 seconds) to prevent brute force attacks.

Again, the beauty of TOTP is that it can run entirely locally, so you don’t have to worry about your 2FA passcode being intercepted through the internet or any other service or protocol. However, note that some TOTP apps require network access or rely on other services such as Google Play Services, so be sure to avoid them to minimize your attack surface.

Note that TOTP, while providing an additional layer of security, is not perfect. You will still be vulnerable to phishing attacks that trick you into entering your passcode and then using that passcode within the time it remains valid. However, having TOTP is still much better than being without this layer of security.

Which accounts support TOTP?

So you have been convinced to use TOTP! But do the accounts you use even support 2FA? Of course, you want to know if you can use TOTP to protect sensitive areas of your life such as banking, communication, and e-commerce. Fortunately, there is an easy way to find out!

Discover the free and open-source project 2FA Directory! This handy website is based on crowdsourced reports that list popular services in various countries and the types of 2FA they support. Simply search for the service of your choice to see if it has TOTP. You can also browse your country’s services by category to select one that supports TOTP.

Start using a TOTP app now!

Because TOTP is an open standard, it can be easily adopted by services that want to implement it as part of their login security and developers who want to create their own TOTP applications. There are many apps you can use to host your 2FA codes, but some offer better features and interfaces than others.

My TOTP app of choice is Aegis, an easy-to-use FOSS option that offers many advantages over popular options like Authy, Duo Mobile and Microsoft Authenticator!

The most important feature of Aegis is the ease with which you can create backups of your TOTP keys! Data can be exported to an encrypted file which can then be imported to restore TOTP functionality. This feature is ideal if you want to switch to a separate device or easily recover your previous configuration if your existing device is stolen!

Meanwhile, Authy, Duo Mobile, and Microsoft Authenticator will not allow you to create proper backups of your TOTP keys once you set up your accounts. You’ll either be forced to stay in their closed-source app ecosystem through their proprietary backup system, or repeat the TOTP setup process with each of your accounts!

For example, Duo Mobile only allows backups via Duo Restore, which does not work on different operating systems or different authenticator apps. To make matters worse, Duo Restore requires you to set up your backups via Google Drive rather than locally.

Additionally, Aegis allows you to encrypt the vault storing your TOTP keys using a password or biometrics (fingerprint, face ID). This feature adds another layer of security to that particularly sensitive data on your phone.

What are you waiting for? Get settled with this crucial layer of security for your accounts!

Calvin W. Soper