9

We are using TOTP(https://datatracker.ietf.org/doc/html/rfc6238) for a web application to enhance the security. TOTP works on UTC. if system clock drifts OR NTP is not synced, TOTP generated by application (like MS Authenticator, or Google authenticator or https://totp.danhersam.com/) will not be same as of OTP generated by web-app. We thought of adding current Date+Time+TZ in error message along with "Invalid TOTP".

So my question is, Information of websites time (lagging or ahead), how attacker can use in any possible way and will make adding date+time+tz information in error message a bad idea ?
Are there any time based attacks?

Improve this question
2
  • 2
    The current datetime is probably already being sent in the Date HTTP response header, so displaying this in the UI as well would make no difference.
    – Gh0stFish
    Commented Jan 8 at 8:41
  • 2
    As an addition: "time based attacks" usually refers to race conditions or this is at least what I can only imagine. Because as the answer states, time is a well-known constant of the universe, so an attacker gains nothing from knowing the time explicitly.
    – rugk
    Commented Jan 8 at 15:16

1 Answer 1

Reset to default
18

It doesn't. The security of TOTP doesn't depend on time being secret. It depends on the secret being secret.

I would assume time to be well known and public - best practice is to use NTP, which means that an attacker will know what time is to within a second.

Improve this answer
8
  • 3
    It does depend on the time of the website being reasonably close to that of generating app. If the website is non-trivially behind and the attacker knows this, it significantly opens the window for an attacker to steal a token, and then replay it later.
    – user1937198
    Commented Jan 8 at 15:54
  • 4
    @user1937198 So it's only a potential exploit if the site has another problem that's easily avoided.
    – Barmar
    Commented Jan 8 at 16:51
  • 3
    @user1937198 Right, didn't read the question fully to see that time drift is an actual concern. But this just makes me think that they're worrying about the wrong thing -- fix the time drift, don't display the time.
    – Barmar
    Commented Jan 8 at 17:20
  • 4
    Displaying the time does make it easy to detect time drift, then a user can write an angry letter to customer support and (if your organization is functional (which no organizations actually are)) it can be fixed.
    – Stack Exchange Supports Israel
    Commented Jan 8 at 19:31
  • 5
    We used to have customers who travelled from London to Barcelona and instead of changing the time zone, they changed the clock. Bit more than “drift”. We displayed server time and client time, so the user had a chance to fix it if the client time was wrong. If my watch says 10:31 and the server says 10:17 then I ask a colleague for the time and then I know to change my clock or to complain about the server.
    – gnasher729
    Commented Jan 9 at 9:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .