Ask HN: Why don't more apps use OTP as the first factor?

7 points by theschmed ↗ HN
Hi,

Is there a reason besides inertia why most applications that require authentication use a secret like a password for the primary factor, rather than using a OTP app?

For context about me: I am pretty new to programming, learning web application development. So maybe this would be a Very Bad Idea, and I just don't know why yet!

But it seems to me that some advantages of using a OTP would be:

1. It would be easier to temporarily grant someone else access to your account - as long as the app gives you a way to log out all other sessions and reauthenticate

2. It would remove the burden of remembering/managing unique passwords from the user

9 comments

[ 2.8 ms ] story [ 30.5 ms ] thread
Most users don't even know what an OTP is.
Otp apps require a device or a token. Requiring this removes the ability for a user to get in if their phone is dead, or lost. The support burden is also higher for a reset. Nothing is a show stopper, but also painful enough to prevent wider adoption.

Back in the old days you used to get single use passwords for secure system. This creates a similar problem, where loosing the sheet meant you needed new passwords.

When I worked in Zurich, OTP was handled in exactly this way for visitors like myself. The company I was working with referred to it as a strike list.
For example, there are 999999 combinations for TOTP. You might not be able to get through all those combinations in 30s but you could probably get through enough to give you a good chance of access on a long enough timeline.

So, you lock out IP addresses. The attackers move to using a botnet.

So, you lock out specific accesses to an account. The attackers can't move forward now but they can quite easily and cheaply deny access to a given account indefinitely.

So when implemented correctly, with a strong enough password policy and a way to introduce delay, i.e. with bcrypt2 and IP address locking, etc, 2FA makes it more difficult. The time to access is considerably longer for an attacker.

Of course, you've got similar problems with a password and a second TOTP but you've increased the difficulty level massively as the attacker must now have a working password before they can work on the 2FA dialog. At this point, you can easily spot suspicious behaviour and warn users, etc.

Maybe I misunderstood the OP or the standard usage of the acronym OTP/TOTP is only for referring to 2FA tokens?

I interpreted his question to mean a one-time-password, not necessarily a numeric 2FA token, but a string password with ascii characters, with any length (or a reasonably long one at least), emailed or SMS'd to the user.

I don't have a great answer for OP other than, I've seen some big sites do it. For example, I never remember the password of my rarely-used Twitter account. Every time I have to log in, I use the OTP feature and get emailed a login link.

Password resets are a great example of an almost universal usage of OTP, thank you.

Of course, they deliberately discourage you from using that regularly, by making you set a new passphrase when you log in from a "magic link" sent by email.

An OTP falls into the "something you have" category[1] whereas passwords are in the "something you know" category.

Things you have are generally less convenient than things you know - which is why they're typically the 2nd factor, not the first factor.

[1] I'm assuming you need something to tell you the OTP - that you haven't memorized them all.

It also means one point of security. Anyone with my phone has access to the OTP as well.