Ask HN: Why don't more apps use OTP as the first factor?
Hi,
Is there a reason besides inertia why most applications that require authentication use a secret like a password for the primary factor, rather than using a OTP app?
For context about me: I am pretty new to programming, learning web application development. So maybe this would be a Very Bad Idea, and I just don't know why yet!
But it seems to me that some advantages of using a OTP would be:
1. It would be easier to temporarily grant someone else access to your account - as long as the app gives you a way to log out all other sessions and reauthenticate
2. It would remove the burden of remembering/managing unique passwords from the user
9 comments
[ 2.8 ms ] story [ 30.5 ms ] threadBack in the old days you used to get single use passwords for secure system. This creates a similar problem, where loosing the sheet meant you needed new passwords.
So, you lock out IP addresses. The attackers move to using a botnet.
So, you lock out specific accesses to an account. The attackers can't move forward now but they can quite easily and cheaply deny access to a given account indefinitely.
So when implemented correctly, with a strong enough password policy and a way to introduce delay, i.e. with bcrypt2 and IP address locking, etc, 2FA makes it more difficult. The time to access is considerably longer for an attacker.
Of course, you've got similar problems with a password and a second TOTP but you've increased the difficulty level massively as the attacker must now have a working password before they can work on the 2FA dialog. At this point, you can easily spot suspicious behaviour and warn users, etc.
I interpreted his question to mean a one-time-password, not necessarily a numeric 2FA token, but a string password with ascii characters, with any length (or a reasonably long one at least), emailed or SMS'd to the user.
I don't have a great answer for OP other than, I've seen some big sites do it. For example, I never remember the password of my rarely-used Twitter account. Every time I have to log in, I use the OTP feature and get emailed a login link.
Of course, they deliberately discourage you from using that regularly, by making you set a new passphrase when you log in from a "magic link" sent by email.
Things you have are generally less convenient than things you know - which is why they're typically the 2nd factor, not the first factor.
[1] I'm assuming you need something to tell you the OTP - that you haven't memorized them all.