Why You Should Never Use Google Authenticator Again

Reasons why U2F is better than TOTP (one-time password)

There can never be enough security. On the other hand, using faulty or weak protections may merely make you feel safe while you remain exposed to various threats.

Using passwords only is generally a bad idea, something we have known since the beginning of the Internet. We are making progress toward a password-free world, but in the meantime, many websites offer an additional user account protection with Two-Factor Authentication (2FA).

In general, there are two types of 2FA implementations: Time-based One-time Password (TOTP) and Universal Second Factor (U2F). You may be familiar with the former, as it is the most commonly used 2FA: at login, you have to enter a one-time code generated by your phone app, a dedicated hardware device, or sent to you via SMS. While simple, there are several shortcomings to this method.

But not all kinds of 2FA are created equal!

How Does TOTP Work?

Time-based One-time Password (TOTP), popularized mainly by Google Authenticator, verifies your identity based on a shared secret. This secret must be shared online between you and the provider.

When logging into a website, your device generates a unique code based on the shared secret and the current time. Then you have to submit this code manually. The server generates the exact same thing, based on the same secret, to compare and validate the login request.

Both sides generate the same hash, from the same input factors, sharing a secret at registration.

Why Is TOTP Inadequate?

While TOTP is very simple to use, it has weaknesses and inconveniences.

1. You have to manually input the code at logging in, adding another step to the process.
2. Backup is cumbersome. You have to take additional steps to back up the secret. Also, the services often offer reserve codes instead of explicitly suggesting to save the secret. If you lose your secret and log in with a reserve code, you will have to redo the entire TOTP registration process again.
3. Backup codes are sent online, which is often insecure.
4. You and Provider share the same secret. If an attacker hacks into a company and gains access to both the password and the secrets database, he/she will be able to access every account completely unnoticed.
5. The secret is displayed in plaintext or QR code. It cannot be provided as a hash or with a cryptographic salt. This also means that the secret is most likely stored in plaintext form, on the servers of the provider.
6. The secret can be exposed during the registration, as the provider has to give you a generated secret. By using TOTP, you have to trust the providers to be able to protect the secret. But can you?

How Does FIDO/U2F Work?

The U2F standard by the FIDO Alliance was created by technological corporations, such as Google and Microsoft, recognizing the weaknesses of TOTP. U2F uses public-key cryptography to verify your identity (Reddit — Explain Like I’m Five). In contrast to TOTP, you are the only one to know the secret (the private key).

The server sends you a challenge, which is then signed by the secret (private key). The resulting message is sent back to the server, which can verify the identity thanks to your public key in its database.

Benefits of U2F

1. No shared secret (private key) is sent over the internet at any time. No confidential information will ever be shared, thanks to public-key cryptography.
2. Easier to use. No retyping of one-time codes involved.
3. Privacy. No personal information is associated with the secret.
4. Backup is theoretically easier. Though, not always possible. E.g., you cannot back up a Yubikey.

Because with U2F, there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users, and that is much more costly and time-consuming.

Moreover, you can back up your secret (private key). On the one hand, it makes you responsible for your security, but it also means that you do not need to trust any company to protect your secrets (private keys).

Trezor — U2F Done Right

Trezor is a small dedicated device designed to store private keys and to serve as an isolated computing environment. Originally invented as a secure Bitcoin hardware wallet, created to protect money, its uses have expanded thanks to the wide applicability of asymmetric cryptography. Trezor can now serve as a hardware security token for U2F, but with backup/recovery functions and convenience, which no other product can compare to.

How Does U2F With Trezor Work?

When logging into a website, you generally authenticate yourself by providing a user name and a password. With Trezor and U2F, you will have to additionally confirm the login with a click on your Trezor device.

Unlike some other tokens, Trezor always uses a unique signature for each and every user account registered. Additionally, Trezor brings U2F to a completely new level:

1. Easy to back up and recover. Trezor requires you to back up your so-called recovery seed during the initial setup of the device. This is a one-time process for all functions of the device. The recovery seed represents all the secrets (private keys) generated by the device and can be used to restore your hardware wallet at any time.
2. An unlimited number of U2F identities, that are all saved under one backup.
3. The secret is safely stored inside Trezor. It will never be shared, as it can never leave the device. No viruses or hackers can access them.
4. Phishing protection with on-screen verification. Trezor always displays the URL of the website you are logging into, and what exactly you are about to authorize. You can verify that what was sent into the device is, in fact, what you expected.
5. Additional information on setup, use, and recovery of Trezor for U2F can be found in our blog post here or in the User Manual.

The safe characteristics of asymmetric cryptography fall into the security philosophy of Trezor. With the U2F support in Trezor, we encourage users to employ all measures available to secure their accounts and identity online.

Interesting Articles:

Here’s How an Attacker Can Bypass Your Two-Factor Authentication
Adding a phone number to your Google account can make it LESS secure
Centralized versus Decentralized Networks

About Us

Created by SatoshiLabs in 2014, the Trezor One is the original and most trusted hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, and serves as the second factor in Two-Factor Authentication. These features combine with an interface that is easy to use whether you are a security expert or a brand new user.

Trezor Model T is the next-generation hardware wallet, designed with the benefits of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.

Secure your digital identity with Trezor.