How 2FA works with time-based one-time passwords

In our previous blog post on 2FA/MFA, we have already addressed the question of how the free software KeePass can be used as a backup solution for a TOTP authenticator. This time we will look at how TOTP itself works and which service providers are relevant to the companies that already support 2FA with time-based one-time passwords.

What risks are associated with username and passwords?

Passwords have been used to secure user accounts for several decades, but they have inherent problems and many security experts consider the humble password to be a security risk itself. Simple passwords are easy to remember but are not considered secure – they are sometimes cracked within seconds using dictionary attacks or brute force. On the other hand, hardly anyone can remember complex passwords. And even complex passwords can be cracked eventually, given enough time and computing power, but that is not even the main problem.

Passwords can generally be used to log in from any location. Once they have access to the user’s credentials, which can be achieved relatively quickly through social engineering, an attacker can log into a secure service from almost any location in the world. However, this does not work if a one-time password is required as an additional measure to the username and password. A time-based one-time password (TOTP) is an additional password that is valid only for a short period of time. It can also be used only once and is ideally generated by a second device. If the attacker does not have the device used to generate the TOTP, the stolen credentials are rendered useless.

How secure TOTP password protection works

Recommending that users change their passwords regularly has proven to a be successful measure in handling passwords securely. Many companies also include this measure directly in their IT security policy. There is even a "Change Your Password Day" to promote awareness of password security. However, with the large number of passwords that users need today, this is not a valid solution. No one can change dozens or even hundreds of passwords on a regular basis and keep track of them.

TOTP is not entirely new but it is simple to implement and it has already been proven effective. The technical security standard for TOTP was established in May 2011 by the Internet Engineering Task Force (IETF) in an RFC (Request for Comment). RFC 6238 describes the extension of the OTP (One-Time Password) concept by introducing a time restriction. RFC 6238 is intended to further increase security when using one-time passwords.

The TOTP algorithm generates a code from a secret key and a time stamp, which is only valid for a specific period of time, after which the code will expire. Usually, the code expires after a period of 30 seconds. Both the server and the client know the algorithm used and the secret key, and can therefore calculate the code independently of one another and then compare it with one another. If the result matches and the correct username and password were entered (these are usually still used), the user is authenticated. If it doesn’t match, access is denied.

Services and applications that already support TOTP

We have already discussed the importance of using a TOTP authenticator when 2FA is enabled from a security perspective. Many service providers have already supported the technology for a long time for precisely this reason. The following is a list of well-known companies and business services that offer TOTP for their users and customers.

• Apple iCloud: Apple supports two-factor authentication for both MacOS and iOS. The required steps are described by the company here.
• Amazon Web Services (AWS): Based on Amazon Cognito, AWS has also developed a way to log in to applications protected by TOTP. Please refer to this page for more information.
• Bitrix24: The CRM (Customer Relationship Management) service provider Bitrix24 also offers two-factor authentication for enhanced security. The documentation is easy to follow and includes graphics showing how to set it up.
• Box: User accounts for the online storage service “Box” can also be secured via 2FA. Users can choose between using SMS and a TOTP authenticator.
• Dropbox: Dropbox is one of the most frequently used online storage services in companies. The manual on TOTP setup provided is not only very detailed, but also available in other languages.
• Evernote: The online service allows you to save notes, documents and photos. You can protect access to this often sensitive data via 2FA and TOTP. The manual provided by Evernote is also very detailed and is available in other languages. A YouTube tutorial is also available for this same reason.
• Facebook: Even if Facebook is losing importance, many companies still use the social network to connect with customers. Facebook accounts can also be protected via TOTP.
• Google: As a major cloud service provider, Google offers a variety of online services that countless companies use worldwide. With just a few steps, you can activate 2FA and TOTP for your Google Account.
• HiDrive (Strato): The online storage service HiDrive from Strato also supports logins secured with 2FA and OTP. Codes created by HiDrive only expire after 60 minutes. Please refer to the setup instructions.
• IBM Cloud: IBM cloud-enabled accounts can be protected with time-based one-time passwords. Refer to this page for detailed documentation.
• Microsoft: Similar to Google, a Microsoft account can be used for numerous services from different companies (e.g., Azure, Microsoft 365, OneDrive, etc.). Refer to this page for information on how to set up 2FA from Microsoft.
• Oracle Cloud: The Oracle Cloud, which can be used for many database services can also be secured using TOTP. The instructions are extensive and illustrated with many screenshots.
• Salesforce: Accounts for the enterprise services offered by Salesforce also support TOTP. Refer to information from Salesforce on how to set up 2FA.
• Slack: Some companies now only communicate via Slack. It is a good thing that the user accounts on this messaging service can also be secured via TOTP.
• VMware: With VMware Verify, the virtualization specialist offers its own service, which you can use to set up 2FA secured with TOTP codes. The manufacturer describes how to get it all set up on this page.
• Zoom: The video conferencing specialist has achieved unprecedented growth in recent years. As a technology leader, it is not surprising that the company also supports 2FA and TOTP.

Now that we have covered the most important companies and online services,  we can also recommend the international 2FA Directory for further research. You can manage all TOTP-secured services conveniently and securely via the NCP Authenticator App on your smartphone – alongside secure two-factor authentication for VPN access to remote networks.