What is TOTP?
Those who have enabled multi-factor authentication (mfa) in his/her Google accounts, major vendors out there are aware of the importance of having them. For others, who are not aware of what mfa is and how it works, please look into the following wiki link: TOTP Wiki Page
Traditional Approach of TOTP apps:
Most of the Authenticator apps out there, starts providing One Time Password easily, when you:
- scan the QR code provided to you
- Enter the secret text provided to you
Why this might not be the completely safest approach?
There is no way to tell whether the rightful owner is scanning the QR code or using the key, which makes it a bit vulnerable. I’m not arguing about it’s existence, but the mere fact that what if someone gets hold of my secret key and password, they can easily generate the OTPs and get access to my systems. Many, people might say that we need to start using Password Generators for this purpose, I’m in fact, voting in favor of them. The next thing that I’m about share might sound silly, but has worked well for many of my clients and users.
A small step can improve the situation a little bit better:
- Instead of the sending the encoded secret key as QR code to email or account, just generate a custom url from the application with an expirable token of considerable time and convert that URL to QR code and share it with the users.
- The expirable token can be used only within the time limit and it makes the identity clear, when checked in the application side
- The Authenticator app needs to have a particular user-agent or some kind of signature header to differentiate the requests from the app
- The above step makes sure that no other people can get access to TOTP secret key.
- The Authenticator App needs to scan and hit the URL with the distinguished mark to get the TOTP secret key.
The above mentioned steps are just suggestions for those who feel the necessity of implementing your own MFA solution and are in need to monitor or track the access usage safely.