Security Discussion: 2FA TOTP comes after the login credentials. Why?

humptydumpty

Most websites have the 2FA TOTP shown on a second page after you input the correct login credentials. I know security is layered like an onion but that still opens up the door for brute force attacks and once cracked, bypassing TOTP isn't that hard with some old fashioned scam work like placing a phone call to the company and saying you're locked out of your account.

Wouldn't it be better if the hacker wasn't able to guess what the right credentials are in the first place by having the TOTP show up on the login page right under the user/pass fields? Is there a technical reason why most went with the two page method?

nj

@humptydumpty Cloudron asks for the TOTP code on the same page, no?

Some websites show two steps in the UI, but actually send the username, password and code in a single request. Some websites ask for your username first, then display the password field, such as Google and Apple ID web. Some companies use the most common method of asking username and password at once, such as Facebook and Apple ID mobile app interface.

I don't think there's more security risk in one method than the other. If that was the case, all of them would be using the most secure way. That's exactly the same case for the TOTP code. Personally I prefer the username+password+totp in a single page because it "feels" more secure.

humptydumpty

@nj Yeah, Cloudron does it all on the same page. I installed a 2FA plugin for RoundCube yesterday and you won't get to the TOTP unless the user/pass entered are correct. Otherwise, it kicks you back to the login page. I've noticed the same thing on some other sites. Which got me wondering if there's a some technical reason for that? Like if the app is based on a certain coding language and has some type of limitation in that aspect.

For the sites that display the username first, if the login request + TOTP is submitted at the same time, what would be the point in separating them? Bitwarden seems to be able to fill the fields with one click so I'm guessing attacking bots won't be phased by that implementation.

I'm just rambling lol. I remembered my experience with AT&T today and how they gave up my personal info and that got me all riled up again.

marcusquinn

I think most things like this someone copied someone else hoping they knew what they are doing.

I can see reasons for both ways, and certainly multi-page eliminate brute-force but forsakes speed and convenience.

Social-engineering seems to be the more common vector nowadays, so that's more of an education issue.

2FA really just ensures all login credentials are unique.

There's no helping anyone that gives up their own credentials to phishing though.

girish

I think one thing about showing OTP on second page is that they can hide it from the first page. And you don't have text like "optional / if enabled" like we have on Cloudron. I guess since we enable 2FA everywhere, it hasn't bothered us

humptydumpty

@marcusquinn As you've mentioned, social engineering and phishing pose a greater risk than brute force attacks. I read an article once about SMS hijacking that shows that SMS/phone numbers shouldn't be used to secure an account at all. I'll post it if I find it again.

@girish I prefer having it all on the same page. Even if I wasn't using TOTP for that account. For those that aren't tech savvy enough to know what TOTP is, it might push them to look it up and educate themselves. Win win, really.

nj

@humptydumpty I like your idea of educating the users on the login page itself. You could also add something like This code protects your account even if someone stole your password. Or a better wording would make an impact, really!