TOTP Key Fob for FM 2FA: Suggestions?

[DumbGuy]

I'd like to get a TOTP key fob for logging in to my FM account via 2FA. I already use an authenticator app; the fob would be a backup/alternate 2FA method. To be clear, this is the kind of security token with no USB connection, but just a numeric code I'd manually type in to FM.

I see FM recommends the Feitian c200, and so I'd like to get that, but I'm not seeing it for sale at places I usually shop, like eBay and Amazon.

The manufacturer at ftsafe.com seems to sell it in a minimum 5-pack, and I just want 1 or maybe 2 of these.

So, maybe I'll get another brand. But on Amazon, I'm having trouble even finding one that's simple and generic enough to be appropriate. The ones I see there are either expensive multi-packs for professional use, have licenses/durations attached, or seem to be for specific services like online games or Amazon Web Services.

Can anyone recommend one, for FM 2FA use, at an easy-to-purchase location online?

Thank you!

[DumbGuy]

Ok, so I just bit the bullet. All this time spent/wasted surfing around online in small clumps over the past few weeks trying to find the most appropriate TOTP key fob... I just now bought the whole 5-pack at Feitian to get it over and done with.

I'm looking forward to receiving these and getting them set up w' FM.

(Once received, I'll have a few extra I won't need. If you live in US and can pay in Bitcoin, I'll be happy to send you one for USD$20 - my cost + shipping.)

[17pm]

Quote:

Originally Posted by DumbGuy

Ok, so I just bit the bullet. All this time spent/wasted surfing around online in small clumps over the past few weeks trying to find the most appropriate TOTP key fob... I just now bought the whole 5-pack at Feitian to get it over and done with.

I'm looking forward to receiving these and getting them set up w' FM.

(Once received, I'll have a few extra I won't need. If you live in US and can pay in Bitcoin, I'll be happy to send you one for USD$20 - my cost + shipping.)

Can you link to the things you bought?

[DumbGuy]

Quote:

Originally Posted by 17pm

Can you link to the things you bought?

Already done. The 5-pack link in my original post above.

[danieldk]

It should also be noted that TOTP only provides limited protection against phishing. A TOTP code is typically valid during the current and the next time step. The default recommended time step size is 30 seconds [1], which normally gives a window of 60 seconds wherein the TOTP code is valid. Plenty of time for a phisher to automatically or even manually relay the code to the real server.

If you want a second factor that also provides protection against phishing, get a U2F key. The U2F device signs the URI and TLS Channel ID and the relying party can validate that these are correct. U2F keys are quite affordable (typically 10-20 Euros). You could carry one device with you and associate a backup U2F key that you keep in a safe somewhere.

[1] https://tools.ietf.org/html/rfc6238#page-6

[DumbGuy]

Thanks for your input, Daniel. Hmm, maybe I'll give U2F more consideration.

Are phishing hackers known to immediately utilize OTP 2FA codes to gain access to an account? Gosh, that sorta negates the reason to use OTP. (And more reason, I think, why FM should have an Account Master Password that differs from a login password.)

[jhollington]

The only downsides to U2F is that you have to physically insert it into a USB port and it's only natively supported in Chrome, so it's not necessarily a practical solution if you're frequently hopping onto public terminals (there are also NFC-based U2F tokens, but they're designed for NFC-capable mobile devices — most public terminals aren't going to have NFC readers).

This is where TOTP is a more viable solution since it doesn't require anything other than keyboard input. While Daniel is right that it doesn't completely rule out password disclosure through phishing attacks, those are usually pretty easy to avoid by taking a few precautions, and since we're talking specifically about FastMail, you're unlikely to be the target of an email phishing attack that tries to get your FastMail password — are you really going to click a link in an email message in your FastMail inbox purporting to be from FastMail, that would ask you to sign into FastMail again, and then actually supply your TOTP again when you were already signed into FastMail in the first place?

The more likely attack vector that I'd be concerned about in these situations would be something like a key logger on a public terminal. While it's certainly possible that such a key logger could be live, in most cases they're more likely logging passwords for later use, which is something that TOTP would definitely protect against.

Of course, if you know every computer you'll be authenticating to has Chrome installed and you'll have access to the USB ports, then by all means a U2F token is definitely the way to go.

[jofallon]

How could phishers get the 6 digit code during the 60 second window of vulnerability? If it's an app running on a smartphone (or with something like 1Password), would the gadget have to be already compromised for that to happen?

If you use a public terminal, you've pretty much consented to compromise, I think.

[rusl]

A phishing site looks like the official Fastmail page. It asks you to enter your username and password, then a 2FA code (which is valid for approximately the next thirty seconds). The phishing site takes those three pieces of information and immediately (because it only has thirty seconds) uses them to login to the real Fastmail site and probably change your password straight away to lock you out. The added security of the 2FA means that the attacker only has thirty seconds to re-use the phished credentials, whereas without 2FA they can re-use the username and password at any time in the future at their convenience (that is until you change your username and password in the future).

[rusl]

Getting the most out of your 5-pack from Feitian of their c200 TOTP hardware tokens:

If you use TOTP for other services you can obtain the TOTP seed that those services gave you when you activated TOTP. They probably told you that if you weren't able to scan a QR code you could manually enter a string of characters into your TOTP app. That string of characters is either a Base-32 string or a HEX string. If it was Base-32 then remove the spaces and then you pad the end of the string up to a length of 32 characters with the letter "a" and then convert it to HEX. If it was a HEX string then pad it up to 40 characters with zeroes at the end, eg "0000000".

You want a 40 character HEX string derived from the TOTP manual entry code. If you didn't write down the manual entry code you were given when you activated 2FA on a particular account you can disable 2FA on that service and re-activate it, and copy that manual entry code down when they provide it to you.

To test if you have correctly converted the manual entry seed to a working 40 character HEX you can use the command line tool oathtool in linux. Install it in Ubuntu with: sudo apt-get install oathtool

Now run:
oathtool --totp -v "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
but replace all those A's with your 40 character hex string.

Alternatively run:
oathtool --totp --base32 -v "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
This second command uses the base32 flag to take your base32 input and it will convert it to hex for you!!

The output will show your hex string, the equivalent base-32 string, some other information, and lastly it will produce a six digit code on the last line (valid right now and for the next thirty seconds).. If this is the same six digit code produced by the app you currently have registered with the service and if this code allows you to successfully login to that site then the 40 character hex string is the right one to send to Feitian for them to produce a token that will generate valid codes for that site.

Jackpot. Success.

Now go order a 5-pack of the c200 tokens from Feitian and when you fill out the form to specify your order you can supply them with 40 character HEX codes which they will use as the "manual seed" to program some of the tokens for you. You don't need to do this for Fastmail. For the one you want to use for Fastmail ask for it to be "seeded randomly" and they will provide you with the manual entry seed when they deliver the token. I guess if you really want to you can get Fastmail to produce a seed and then convert it to 40 characters of hex and provide it to Feitian if you really want to. Most other services don't let you enter your own manual entry code on their site when setting up TOTP/2FA, they provide it for you, hence why you need Feitian to program the tokens with the manaul entry code you provide to them.

Oh, probably don't just email those hex seeds to Feitian. Email isn't secure and you shouldn't be emailing "passwords" around the place. Create an encryted file and upload it somewhere for Feitian to download from behind a password protected download link. You can make password protected website using Fastmail itself Watch the website access logs and once they've downloaded it you should delete it from the server. Yeah, there are probably better ways - let me know.

Anyway, long story short, you can have tokens programmed to work with your favourite 2FA/TOTP secured services such as Microsoft and Google accounts. You now have a hardware token instead of using a smartphone app.

It's yet another option.

But always write down the manual entry codes on paper somewhere safe in case your token runs out of batteries or is lost

[DumbGuy]

Thanks for the rundown, rusl! Yes, I already have obtained my seeds from Feitian (via a secure channel) and now await the key fobs to arrive in the mail.

So, the 40-char hex seed that I have now for each security token: I assume that's what FM will have me enter in when I add another 2FA/TOTP device to my account. We'll see.

As for attack vectors... I'm not too worried about phishing. But keyloggers I think are a viable threat - certainly on someone else's (or public) computer, but even on my own computers it's not out of the question.

I always assumed logged credentials are often sent back to the hacker with a delay, and that's why we all tend to feel comfortable with TOTP codes for 2FA. But with more and more people using 2FA logins around the web, it doesn't seem that much of a stretch to think the bad guys will keylog capture the 2FA code and then, in an automated fashion, login to the victim's account immediately for further exploitation.

[rusl]

Yep. Settings > Password and Security > Add Verification Device > Set Up Authenticator App > "Set a custom key" (text link in Step 1) > Enter the seed value here. 40 character hex works. I didn't test base32.

If Fastmail's login system allowed only one login success per OTP code then it would prevent phishers from harvesting an OTP code for re-use in the 30 second validity period. So effectively each TOTP code becomes a single-use code as well. Honestly, who is going to do two legitimate TOTP logins within 30 seconds on one account? Hey Fastmail, feature request here!

[DumbGuy]

Single-use TOTP code -- that's a damn good idea! Knowing FM, they've probably at least considered it.

Could it already be in place? I'll have to test soon.

[jhollington]

Actually, this whole discussion is kind moot as TOTPs are one-time use, by the very definition of One-Time Passwords

I'm actually kind of slapping my forehead for this not clicking when we were discussing this yesterday (I was clearly too focused on the U2F side ). It's a required part of the TOTP specification in RFC 6238:

Quote:

Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.

It's easy enough to confirm for yourself that FastMail follows the spec.... Just open two private/incognito browsing windows on your computer, and try to log in to your FastMail account in each one with the same TOTP code. The first one will work, the second will likely not. Out of over 20 test logins, I did have it work the second time once, but I'm going to guess that was due to a brief internal sync delay within FastMail's systems — essentially not flagging the password as "used" quickly enough. However, that was a one-off, and subsequent tests, even a second apart (basically, the time it takes to switch browser windows even when you've already got the TOTP pre-entered into both windows and just need to click "submit."

Just to expand a bit, TOTPs grew out of the original idea of OTP password "lists" (something that FastMail also supported until recently through its "Alternative Logins" system that was discontinued last summer in favour of the new 2FA system). Original OTP specifications (defined in RFC 4226, although proprietary OTP algorithms predate that by quite a bit) generally required that users pre-generate a list of passwords that would be carried around and crossed off whenever one was used. Each password could only be used ONCE, and was invalidated as soon as it was entered. You'd also have a print a new list every so often when you got to the bottom of your first one. The whole point of Time-based One-Time-Passwords (TOTPs) was to provide a way to algorithmically generate these passwords so you wouldn't have to carry a list around with you and deal with reprinting it every so often, which could often be a pain, but obviously it was always still intended to be a One-Time password in the spirit of the original OTP specification.

[rusl]

Yep, you're right. I'm an idiot. I didn't read the full spec or test thoroughly enough - the fixed width font made the RFC a tough read

I tested it yesterday but I think I had previously ticked the 'remember this browser' box or something. Did a full cookie sweep on both browsers and yes, it rejected the second attempt.