Phishable: TOTP

What is TOTP?

TOTP (Time-based one-time passcodes) are codes used to secure the authentication process. These codes are generated and refreshed on a time-interval, usually 30 seconds or so. They are typically generated using mobile apps, such as Google Authenticator, Microsoft Authenticator, etc.

Why is it phishable?

TOTP is susceptible to phishing attacks such as seed disclosure, social engineering, and do not provide any protection against AitM (Adversary-in-the-Middle) attacks.

Common attacks on TOTP

  • Seed Disclosure: TOTP codes are generated through a shared secret key between the service provider and the user's TOTP app. If the key was stolen (example: an adversary discovered a QR code used to set up the TOTP), it can be used to generate valid TOTP codes and impersonate a victim.
  • AitM (Adversary-in-the-Middle): a convincingly fake login phishing website created by an adversary can lead to a session hijack. Check out the exploit on TOTP here.
  • Social Engineering: an attacker can deceive users to disclosing TOTP codes by impersonating trusted sources.

What should you do if your organization uses TOTP?

If your organization currently relies on TOTP for authentication, we recommend the following steps for improvement:

1. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
2. Implement phish-resistant MFA, such as Beyond Identity, for hardened security.

If you want to see what other steps you can take to improve your overall security, check out our zero trust assessment for a full analysis on your authentication and device management practices.

Experience MFA done right

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.