logo

[T]OTPs are not as secure as you might believe

2022-11-17

Authors:   Santiago Kantorowicz


Abstract

You likely receive OTPs (one-time-passwords) all the time, usually in the form of an SMS with a 4 to 8 digit code in it. Pretty common when you sign-in (or register) to Uber, your bank (usually as a second factor), Whatsapp, etc. The most adopted OTP size is 6 digits, and we just accept that it's hard to guess, after all it's 1 in a million chance, and it's valid just for a few minutes, and leave it there. A few paranoid folks might wonder, what if get a new OTP after the first one expire, they may assume it's another 1 in a million chance, and continue with their life. The truth is that when you calculate the actual chance of guessing an OTP one after the other, the odds are NOT 1 in a million. You will be surprised how the probabilities of guessing spiral once you start thinking of brute forcing OTPs one after the other, and what about parallelising the brute force among different users, the surprise is even bigger.

Materials: