Two-factor authentication (2FA) –– otherwise called multi-factor authentication (MFA) –– is one of the best precautions against cyberattacks an organization can adopt. MFA requires two or more factors to authenticate users to IT resources, usually “something they know” (their credentials) in combination with “something they have.” The latter can be anything from a numeric code sent to their phones via SMS to their fingerprint.
Admins often employ time-based, one-time passwords (TOTP) as the second factor. TOTP tokens are randomized, numeric codes generated by an app that automatically refreshes. TOTP 2FA offers many security benefits, but there are also a few drawbacks to consider. Check out the following pros and cons to find out if TOTP 2FA is right for you.
Overview of TOTP 2FA
In order for users to access their assets, their credentials must match what their organization has on file, and their TOTP code needs to match what the application or system has on their server. If the TOTP code doesn’t match, then the user will be denied entry.
- Inexpensive to implement: Organizations often leverage TOTP 2FA because of how accessible it is. Most authentication apps that generate TOTP tokens are free or charge a small fee, so organizations of any size can secure their user’s identities if they choose.
- Lightweight: Organizations don’t need to install any new hardware for users to authenticate to their IT resources. All they need is an authentication app on their desktop, laptop, or phone. Most TOTP app providers offer 2FA for all those devices, so users can leverage whichever suits their needs.
- Remembers user accounts: When a user first attempts to access an application or system, their TOTP token generator saves and remembers it. This feature allows users to acquire their codes without WiFi access or cellular service, as their previous login attempts are saved to their device and will constantly have new codes generated for those resources.
- Can be used at scale: With the right provider, organizations can enforce TOTP 2FA at scale across all their IT resources. This includes heterogeneous systems, a vast array of applications, networks, and file servers.
- Requires a user’s device: A user can’t receive their TOTP code unless they have their authenticator app at the ready. If they forget their phone at home or their device’s battery dies, they may be unable to access their IT resources.
- Fortunately, many web applications offer alternative ways to receive 2FA codes, which the user can opt for if they’re unable to retrieve their TOTP token from an authenticator app.
- Fast expiration: This can require a user to enter multiple TOTP codes in an effort to log in before the code expires, which takes additional time and may lead to account lockouts if they exceed their allotted attempts.
- Secret key: TOTP 2FA uses a secret key shared between the authenticator app and the server hosting it. If a bad actor were to clone that secret key, they could generate valid codes at will and gain access to the user’s account.
Is TOTP 2FA Right For You?
TOTP 2FA may not be right for everyone. Organizations that deal with exceptionally sensitive assets may benefit from other types of 2FA, such as USB keys. But, for organizations with limited resources that still want to secure their identities and IT resources, TOTP may be their ideal choice.