What protects 2FA secret in a data leak?

chris55
chris55
Community Member

My first around here so go easy!

I recently migrated to one password, changed all my passwords to strong unique ones and enabled TOTP 2FA where possible.

Everyone tells you to enable 2FA via an app where possible as it’s more secure than sms 2FA because of sim swapping.

But in a data leak, which would reveal usernames, passwords etc, what protects the 2FA secret for any given service from being leaked? Meaning all someone has to do is enter my 2FA secret into any of the many apps to obtain the TOTP?

Comments

  • Tertius3
    Tertius3
    Community Member

    Such data leaks simply don't contain 2fa secrets. This is the main point of 2fa. User databases from any service cannot contain 2fa secrets, so they cannot be stolen along with the regular identifying data such as username+password.

  • chris55
    chris55
    Community Member

    Thanks for your reply!

    So where is it kept? How does the website / service know it’s the correct one time code being used if they don’t store the secret?

  • [Deleted User]
    [Deleted User]
    Community Member

    Interesting post from jpgoldberg on how 1Password stores the TOTP shared secrets used to protect your 1Password account:
    https://1password.community/discussion/comment/490123#Comment_490123

  • chris55
    chris55
    Community Member
    edited August 2021

    So reading that, app based TOTP adds no extra security in terms of a server breach? In fact it’s weaker than a password as passwords are hashed. It’s just that it can’t be stolen when in transit where a password can.

    Surely then sms 2FA is more secure? Because then at least you have an extra layer where they would have to social engineer your phone company to order a new sim to be sent to them, even then they have a finite amount of time before a sim swap is noticed and stopped. Or they have access to your unlocked device.

  • [Deleted User]
    [Deleted User]
    Community Member

    @chris55 The server is the gatekeeper for 2FA, so a breach of the server will lead to a breach of 2FA. It is just authentication after all and we are authenticating ourselves to the server. My take aways from this are:
    1. TOTP and SMS-based 2FA don't provide any protection against a server breach;
    2. When a server gets breached we need to reset our passwords and our TOTP-based 2FA.

  • Tertius3
    Tertius3
    Community Member
    edited August 2021

    So where is it kept? How does the website / service know it’s the correct one time code being used if they don’t store the secret?

    2fa works a bit like public/private key authentication. The only one who has your secret is you on your local device. The service only keeps a public key, so it can verify the code you created with the secret. At initialization, the service created the secret for you and gave you the QR code, but it doesn't store it. It's removed from the service's memory as soon as you leave the 2fa registration page.
    A sign of this is if you lost your 2fa secret code, you're never again given the old secret by the support along with an account recovery procedure - instead, it's always required to completely initialize 2fa with a new secret.

    To get a 2fa secret stolen, it must be stolen from the device where you store it in your authenticator app. For attackers, this is a very tedious task, because for every successful attack, they get only the secret of 1 person, while they in the past, they got thousands or millions of username+password pairs if they attack the complete user database of a service.

    So for the time being, 2fa is a very good account protection. Just because it's there. Currently, it's much easier for an attacker to concentrate on accounts not yet connected with 2fa than to try to attack a 2fa-protected account.

    However, 2fa only protects against an attacker logging in to some account of you with breached username+password. It doesn't encrypt anything, so if the service's data is stolen directly from their server, 2fa has no part in protecting against that.

  • [Deleted User]
    [Deleted User]
    Community Member

    @Tertius3 Not all 2FA is created equal. While its true to say that U2F and FIDO2 are based on public/private key authentication, the discussion here was regarding TOTP-based authentication. In this case, both the server and authenticator app hold a copy of a shared secret and hash it with the current time to generate the rotating 6 digit passcodes. So the shared secret can be stolen from the server or the authenticator app.
    https://en.wikipedia.org/wiki/Time-based_One-Time_Password
    That said, it seems to be the case that TOTP secrets are not often found in data breaches. I think this is because they are typically not stored with the rest of the customer database. As the service provider's staff don't need to access them directly, they can be stored in hardware security modules or subject to additional protection, limiting access to the server's TOTP passcode generator.

  • Tertius3
    Tertius3
    Community Member

    @rootzero Thanks for correcting me. I didn't realize this and drew incorrect conclusions of my observation a service never re-sends existing secrets. It seems I didn't remember what I once read - this Wikipedia article was definitely visited by me in the past. Argh!

This discussion has been closed.