We are experiencing the fourth industrial revolution, with this comes explosive development and disruptive technologies. Cross Platform-Multiple devices, Internet Of Things and Cloud Services are the some of the awesome trends and this is great, but so are our passwords to access them, also “GREAT” (many)!
Humans have more passwords than they do real-life friends nowadays. The challenge now is all about managing and remembering multiple, complex passwords on several accounts and devices.
In a world were security and cybercrime is rampant, we are also urged to secure our accounts with various additional steps such as 2 Factor Authentication (2FA) or via authenticator apps. The latter is a useful tool which I would like to drill down on.
How Authenticator Apps work?
Authenticator apps, such as Google Authenticator, Authy, Duo and 1Password make use of Time-Based One-Time Password (TOTP). TOPT is an open standard from the Internet Engineering task force to implement time based one time passwords, It is time based and not internet based so therefore its another form of 2FA. It’s a protocol that is supported very widely on the internet. Its used by small to large corporates and is also used by the GreatSoft Cloud Document Management (CDM) Servers.
TOPT works by sharing a secret between the server and you and once the secret is shared the other known factor is the time. Due to the accuracy of time and as long as the time is within range (30-90 seconds dwell time) it works very well and it also works if the device you have TOTP setup is offline.
Setting up TOTP on Greatsoft Cloud Document Management Server
When you set up TOTP, our server generates a secret key (a bunch of random numbers and letters) which is displayed in a QR Code which you can scan using your mobile device.
Now your phone and our server both have a copy of this secret key. When you want to log in, you need to prove that you have the key. To do this, your app combines the key with the current time (to the nearest 30 seconds) to produce an access code. It does this using something called a “secure hash function” (for the crypto-heads out there, it uses HMAC-SHA-1, just so you know). In layman’s terms, it mixes the time and your key together to produce an output that’s unique (if the time or the key are different in even the slightest way then the output is completely different), but impossible to reverse (knowing the output doesn’t help you guess the secret key). To make it easier to type, the access code is shortened to a 6 or a 8-digit number.
When prompted, you type the code into the password box as you would for a normal password:
Our server repeats the process and if the code matches, you’re in!
Benefits of TOTP
With free apps available, TOTP is a quick and easy way to have your passwords managed for you. It’s the most widely supported method too – you can use the same app to secure your accounts at Facebook, Google, LinkedIn, GitHub and many more.
TOTP is seen as a secure password method. Even if an attacker sees a one-time code, there’s absolutely no way for them to guess what the next one will be. The only way you can do that is with the secret key, which stays safely on your phone and our server. The code generated is valid for about 60 seconds (to allow for clock skew), so in theory, if someone intercepts both the access code and your password they have a short window of time where they could use it against you.
There is no protection in TOTP against an attacker tricking you into typing the code in to a site that’s not GreatSoft CDM (a phishing attack). Since the secret key is on your phone, not a dedicated security device, should you get malware on the phone it may be able to steal the secret key. This is still a much harder proposition for an attacker than not having any two-step verification to get past though!
GreatSoft CDM offers TOTP logins for both Practices and their clients. So you never have to worry about a password being lost again, implement the authenticator method and worry about 1 less password straight away!