Why Final is Transitioning to TOTP for 2FA

By: Kyle Rankin on 31 May 2017

The security of our customers is a big focus here at Final and that focus drives everything from our password policy to how we manage customer data and how we harden our servers. In addition to picking a good password, one of the best things customers can do to protect accounts from unauthorized access is enable Two Factor Authentication (2FA). While we have always offered SMS-based 2FA as an option, we recently added Time-based One Time Pad (TOTP) 2FA and recommend our customers transition to it, if possible. In this article I will explain what 2FA is and why it’s important, how SMS-based and TOTP-based 2FA work, and why we are recommending everyone transition to TOTP.

What is Two Factor Authentication?

Authentication is a process where you prove to someone or something who you are. Authentication might take the form of an ID card, a fingerprint, a PIN, a physical key, or most often in the case of computers, a username and a password. Each of these different forms of authentication generally fall into one of three main categories:

  • Something you know
  • Something you have
  • Something you are

“Something you know” includes passwords, PINs, or a safe combination. “Something you have” might include credit or debit cards, a company ID badge, a key, or your phone. “Something you are” typically refers to biometrics like your fingerprint, your signature, your voice, or your face.

As you go about your day, you use one or more of these factors to prove who you are. If you use just one of these factors it’s referred to as Single-Factor Authentication. If you use two, it’s called Two-Factor Authentication (or 2FA). Three-Factor Authentication uses all three. So for instance, a traditional website that requires a username and password is an example of Single-Factor Authentication. When you withdraw money from an ATM you use 2FA: something you have (your debit card) and something you know (the PIN). Most secure computer data centers use Three-Factor Authentication: a customer must use an ID badge (something they have), a PIN (something they know), and a finger or palm print (something they are) before they can get inside secured rooms.

Why Two Factor Authentication?

Unfortunately, the easiest way for an attacker to access someone’s account is usually through their password. While our password policy encourages a stronger password than many other sites, password cracking gets more sophisticated every day and unless you use a long and truly random password (ideally stored in and generated by your password manager program), there are still a few ways an attacker might be able to get your password:

  • Outright guessing
  • Hacking a site where you’ve re-used a password.
  • Intercepting an “I forgot my password” email after attempting to maliciously reset your password.

Without 2FA, the attacker can access your account immediately after discovering your password. With 2FA, they would also have to compromise the second factor before they have access to your account. The most common forms of 2FA that are used in addition to a password are:

  • SMS: The site or app sends you a text message with a code to enter after you log in.
  • Push: The site or app sends a push notification for you to approve or decline after you log in.
  • TOTP: You have a hardware device or software app that generates a code every 30 seconds. You enter the current code after you log in.
  • U2F: You insert a hardware device into your computer and press a button on it after you log in.

Each of these 2FA implementations have their pros and cons, but using any of them is preferred to not using 2FA at all. Final currently supports SMS and TOTP and in the next sections I will elaborate on those two approaches.

What’s Wrong with SMS?

The idea behind SMS as a form of 2FA is that since a cellphone number should only be allowed to be assigned to one phone at a time, your phone becomes “something you have” that no one else has. SMS has been popular as a form of 2FA for websites for the same reasons we initially chose it at Final: it’s simple to implement and doesn’t require a smartphone or any special software on the user’s side. As long as you have a cellphone that can receive a text message, you can use SMS-based 2FA. Because of these compatibility reasons, we will continue to offer SMS as an option even as we encourage you to use TOTP.

Unfortunately, SMS-based 2FA has been shown to be vulnerable to a number of different attacks. In the most common attack, the attacker learns the cellphone number that’s registered for 2FA and then contacts the cellphone provider, pretends to be the customer, and convinces the provider that they lost their phone. Once they get the number moved to a phone under their control, they can receive the 2FA SMS message. This may seem far-fetched but it’s more common than you think and happened to a good friend of mine a few months ago. More recently, security researchers have uncovered flaws in the SS7 signalling technology used in cellphone networks to intercept SMS messages without any social engineering.

Beyond the security flaws, the other main problem with SMS-based 2FA is that it only works when you have a cell signal. If you are somewhere that has spotty cellphone reception, are traveling to a foreign country and your plan doesn’t provide service there, or even if you are on a plane using their wifi but have your phone in airplane mode, you may not be able to receive the SMS and log in.

What’s Right about TOTP?

While both TOTP and SMS provide you with a code, the way they create that code is completely different. The idea behind TOTP as a form of 2FA is that the “something you have” is a unique key stored on special hardware or on a phone that is very difficult or impossible to copy. This unique key then gets combined with the current time to generate a code. Even though you can implement TOTP on a hardware device that generates codes, these days you are most likely to use TOTP via an app on your phone like Google Authenticator, Authy, or Yubico Authenticator.

When you first set up 2FA on a site, the site will generate a secret key and display it on the screen. For convenience, the site will also convert the key to a QR code so you can scan it into your phone instead of typing it in by hand. Once the key is on your phone, the next time you want to log in your app combines the key with the current time to generate the code. The server also generates a code with its copy of the key and the current time and compares it with the code you entered. As long as both sides have accurate time the code should match.

The nice thing about TOTP being time-based is that your device doesn’t need an Internet or cellular network connection to work. This can be handy if you are traveling or otherwise in a situation where your computer has Internet access but your phone is offline. Unlike with SMS codes, which may take quite some time to expire, TOTP codes generally expire within 30 seconds. For ease of use and to allow for time being out of sync, some implementations of TOTP will accept the previous or the next TOTP code so you get 60 to 90 seconds before a code expires.

From a security standpoint, TOTP is much stronger than SMS because there’s no code being transmitted from the server to the client for an attacker to intercept. For an attacker to compromise TOTP, they would need to get a copy of the secret key that’s stored securely on your phone in a way that’s inaccessible without rooting the phone. The fact that the keys are hard to copy is great for security but also presents a practical downside: if you wipe your phone, you will lose all of your TOTP keys unless you root the phone and back them up with a comprehensive backup tool. If you are someone who wipes their phone frequently, you might want to look into a device like a Yubikey Neo that can store your TOTP keys and then display codes safely on your phone over Near Field Communication (NFC).

How to Enable TOTP for 2FA

To enable TOTP as your 2FA method on your Final account, log in to your account with a web browser and click on the Settings link at the top of the screen. Click Security on the left-hand side of the window that appears and under the Two Factor Authentication section, click the Enroll button. If you have previously set up SMS-based 2FA, you will first need to click Disable to remove that form of 2FA, then you should see the Enroll button.

Once you have clicked Enroll you will be presented with two different options, App or SMS. Click App and then use the TOTP authentication app on your phone to scan the QR code that appears on the screen. Below the QR code we also display the text of the key, in case you want to add it manually. After adding the code to your TOTP application, click Next and enter in the current TOTP code your authenticator app displays to confirm. That’s it! Now you’ve added an extra layer of protection to your account.

In Conclusion

Here at Final we put a lot of thought into the security measures we put in place (and which measures we skip) to provide you with the most current security measures that keep you safe without sacrificing ease-of-use. We know many of you have wanted TOTP as a stronger 2FA option yet some of you may not have a compatible device or may prefer SMS for other reasons so we provide both options–either one is better than not using 2FA at all. If there’s a security feature you’d like to see us add, please let us know at security@getfinal.com.