Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
In our previous blog post on 2FA/MFA, we have already addressed the question of how the free software KeePass can be used as a backup solution for a TOTP authenticator. This time we will look at how TOTP itself works and which service providers are relevant to the companies that already support 2FA with time-based one-time passwords.
Passwords have been used to secure user accounts for several decades, but they have inherent problems and many security experts consider the humble password to be a security risk itself. Simple passwords are easy to remember but are not considered secure – they are sometimes cracked within seconds using dictionary attacks or brute force. On the other hand, hardly anyone can remember complex passwords. And even complex passwords can be cracked eventually, given enough time and computing power, but that is not even the main problem.
Passwords can generally be used to log in from any location. Once they have access to the user’s credentials, which can be achieved relatively quickly through social engineering, an attacker can log into a secure service from almost any location in the world. However, this does not work if a one-time password is required as an additional measure to the username and password. A time-based one-time password (TOTP) is an additional password that is valid only for a short period of time. It can also be used only once and is ideally generated by a second device. If the attacker does not have the device used to generate the TOTP, the stolen credentials are rendered useless.
Recommending that users change their passwords regularly has proven to a be successful measure in handling passwords securely. Many companies also include this measure directly in their IT security policy. There is even a "Change Your Password Day" to promote awareness of password security. However, with the large number of passwords that users need today, this is not a valid solution. No one can change dozens or even hundreds of passwords on a regular basis and keep track of them.
TOTP is not entirely new but it is simple to implement and it has already been proven effective. The technical security standard for TOTP was established in May 2011 by the Internet Engineering Task Force (IETF) in an RFC (Request for Comment). RFC 6238 describes the extension of the OTP (One-Time Password) concept by introducing a time restriction. RFC 6238 is intended to further increase security when using one-time passwords.
The TOTP algorithm generates a code from a secret key and a time stamp, which is only valid for a specific period of time, after which the code will expire. Usually, the code expires after a period of 30 seconds. Both the server and the client know the algorithm used and the secret key, and can therefore calculate the code independently of one another and then compare it with one another. If the result matches and the correct username and password were entered (these are usually still used), the user is authenticated. If it doesn’t match, access is denied.
Services and applications that already support TOTP
We have already discussed the importance of using a TOTP authenticator when 2FA is enabled from a security perspective. Many service providers have already supported the technology for a long time for precisely this reason. The following is a list of well-known companies and business services that offer TOTP for their users and customers.
Now that we have covered the most important companies and online services, we can also recommend the international 2FA Directory for further research. You can manage all TOTP-secured services conveniently and securely via the NCP Authenticator App on your smartphone – alongside secure two-factor authentication for VPN access to remote networks.