Ask HN: Is using just a TOTP based authenticatation safe or a privacy issue

7 points by ab_testing ↗ HN
Hello HN, I am envisioning a webapp with the least amount of friction to enroll a user. Is using a TOTP based authentication with no password a safe technique or does it have some glaring holes that I am missing.

Example - user enters an email and receives a TOTP based 8 digit code valid for the next 10 minutes. The user enters the code and is able to view the authenticated information.

8 comments

[ 1.5 ms ] story [ 31.1 ms ] thread
By "receives", you mean they go to their TOTP app and get a code, right?
Or email if email is the username
If you’re doing an emailed TOTP, you might as well do a “magic link” at that point. I dislike both (prefer a secure TOTP app), but here one offers a better UX over the other.
I'm not sure about the email thing, I've just never used TOTP by email. Anyway I don't see anything glaring. The TOTP code has enough entropy that it won't get cracked in any reasonable amount of time. If you rate-limit login attempts, that would be better, but either way I think it's infeasible to crack. And it's a lot better than letting users use short or common passwords that are on some list already!
It transfers the dependency from something they know (password) to something they have access to (phone or email). That thing they have access to could be compromised which then means their account is compromised. That is a risk acceptance question you need to consider.

Also to consider: What happens if a user loses their phone? How do they get access to their account?

Everyone thinks having multiple affordable devices, some of which get almost no use but still have very important roles, is a weird techy thing to have.

I strive to avoid the stereotypes, but I have been unable to go without that setup since highschool!

If the TOTP code is transferred via email, then it is less secure because email is usually transferred in the clear unencrypted. If the TOTP secret is transferred over encrypted http connections via QR code or similar to the user, so the TOTP codes can be generated locally on their phone or similar, then that is more secure.

You also have to make sure to generate and transmit recovery codes in case they lose their phone.

TOTP is also kind of annoying to use.

The best auth from a security PoV is Webauthn.

> TOTP is also kind of annoying to use.

It should be offered, though, even if it's not the default.

I don't find it annoying to use at all, so long as my sessions can be sufficiently long-lived. It gets annoying when sessions end in a very short period of time, which I think can be potentially less secure because that creates more opportunities for authentication to be intercepted outside of HTTPS or for an exploit on an Authenticator-like app to be performed.

Just let me generate OTPs and stay logged in.