Using Public Key Cryptography for improving 2FA?



  • When using 2-factor-authentication using plain TOTP, the secret is stored on both the client and the server. This in turn means, that anyone with access to the database (and a key for it) knows the 2fa-secret of all the users. Why is this acceptable? Storing plaintext passwords has been deemed unacceptable a long time ago.

    Public key cryptography is a perfect solution for this; one could combine it with TOTP. The client generates a private/public-key pair and the TOTP-secret and sends the public key and the secret to the server. The client then generates a TOTP-token, encrypts it with the private key and sends it to the server which can then verify it. Note that this encryption could also be implemented inside an app like "Google Authenticator" in a way that the user would just have to type it out as well.

    This solution seems a lot better to me as nobody on the server-side can know the private key. Why is it, or any other such alternative, not used in practice?



  • There are a few issues with your scheme that I can think of:

    • the server would have to store several keys per user, where the current scheme needs just one secret to be stored for multiple client authenticators
    • the authentication scheme shifts the responsibility of generating and maintaining the secret to the client, not the server, even though the server is the authenticating party
    • the client (the now-responsible-party) has no way of notifying the authenticating party that a key is invalid
    • it's over-engineered since a client-side PKI scheme could replace the entire authentication process
    • client-side key management is more difficult than it appears

    Your scheme is perfectly acceptable and is a well-known authentication design pattern that has been in use in mutual authentication SSH for decades. It is not fit-for-purpose for the goals of MFA, however.

    "Why is this acceptable?" "Why is it, or any other such alternative, not used?"

    Because TOTP supports a password and is not considered to have the same level of sensitivity.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2