skip to main content
10.1145/3384217.3386396acmotherconferencesArticle/Chapter ViewAbstractPublication PageshotsosConference Proceedingsconference-collections
poster

Decentralized backup and recovery of TOTP secrets

Published: 21 September 2020 Publication History

Abstract

This work proposes a set of security, privacy, and usability design requirements for the backup and recovery systems of apps implementing the Time-based One-Time Password (TOTP) algorithm, a widely deployed method of two-factor authentication (2FA). We explain how several prevalent apps fail to satisfy these requirements and outline how our scheme leverages decentralized security techniques to satisfy the majority of these requirements and provide stronger security and privacy guarantees.

References

[1]
[n.d.]. Duo Restore - Guide to Two-Factor Authentication. Retrieved December 13, 2019 from https://guide.duo.com/duo-restore
[2]
2011. TOTP: Time-Based One-Time Password Algorithm. Retrieved October 02, 2019 from https://tools.ietf.org/html/rfc6238
[3]
2017. Announcing Cloud Backup for LastPass Authenticator: Easier multifactor security for everyone. Retrieved December 13, 2019 from https://blog.lastpass.com/2017/05/announcing-cloud-backup-for-lastpass-authenticator-easier-multifactor-security-for-everyone.html
[4]
2018. How Authy 2FA Backups Work. Retrieved December 13, 2019 from https://authy.com/blog/how-the-authy-two-factor-backups-work/
[5]
2018. Our Zero-Trust Infrastructure. Retrieved February 28, 2020 from https://krypt.co/blog/posts/krypton-our-zero-trust-infrastructure.html
[6]
2019. Apple App Store Search Results - "authenticator". Retrieved October 02, 2019 from https://www.apple.com/us/search/authenticator
[7]
2019. Google Authenticator for Android (Open Source Version). Retrieved December 13, 2019 from https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/README.md
[8]
2019. Google Play Store Search Results - "2FA authenticator". Retrieved October 02, 2019 from https://play.google.com/store/search?q=2fa%20authenticator&c=apps&hl=en
[9]
2019. How it works: Backup and restore for Microsoft Authenticator. Retrieved February 28, 2020 from https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/How-it-works-Backup-and-restore-for-Microsoft-Authenticator/ba-p/1006678
[10]
John Brainard, Ari Juels, Ronald L Rivest, Michael Szydlo, and Moti Yung. 2006. Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security. 168--178.
[11]
Stuart Schechter, Serge Egelman, and Robert W Reeder. 2009. It's not what you know, but who you know: a social approach to last-resort authentication. In Proceedings of the SIGCHI conference on human factors in computing systems. ACM, 1983--1992.
[12]
Adi Shamir. 1979. How to share a secret. Commun. ACM 22, 11 (1979), 612--613.

Cited By

View all
  • (2023)Adventures in recovery landProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632199(227-243)Online publication date: 7-Aug-2023
  • (2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
HotSoS '20: Proceedings of the 7th Symposium on Hot Topics in the Science of Security
September 2020
189 pages
ISBN:9781450375610
DOI:10.1145/3384217
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 September 2020

Check for updates

Author Tags

  1. 2FA
  2. TOTP
  3. backup
  4. privacy
  5. recovery
  6. security
  7. time-based one-time passwords
  8. two factor authentication
  9. usability

Qualifiers

  • Poster

Conference

HotSoS '20
HotSoS '20: Hot Topics in the Science of Security
September 21 - 23, 2020
Kansas, Lawrence

Acceptance Rates

Overall Acceptance Rate 34 of 60 submissions, 57%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)20
  • Downloads (Last 6 weeks)2
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Adventures in recovery landProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632199(227-243)Online publication date: 7-Aug-2023
  • (2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media