Time Is on My Side: Forward-Replay Attacks to TOTP Authentication

Time Is on My Side: Forward-Replay Attacks to TOTP Authentication

연구 분야: Analysis

학회: International Symposium on Security and Privacy in Social Networks and Big Data

Time-based One-Time Password (TOTP) is a widely used method for two-factor authentication, whose operation relies on one-time codes generated from the device’s clock and validated using the servers’ clock. By introducing the notion of forward-replay attack, in this paper we underline an obvious (but somewhat overlooked) fact: a secure server’s time reference is not sufficient when an attacker may maliciously set future time instants over the device, collect the relevant TOTPs, and play them back later on, when these time instants will be reached. Through examining viable attack scenarios, we present a concrete proof-of-concept implementation on Android mobile phones and three applications using TOTP, including the widely used TOTP-based Google Authenticator app. Our findings highlight the practicality of such threat and raise concerns about the security of TOTP, suggesting that hardened TOTP-based methods should be explored.