Global AppSec Dublin 2023

You likely receive OTPs (one-time-passwords) all the time, usually in the form of an SMS with a 4 to 8 digit code in it. Pretty common when you sign-in (or register) to Uber, your bank (usually as a second factor), Whatsapp, etc. The most adopted OTP size is 6 digits, and we just accept that it's hard to guess, after all its 1 in a million chance, and it's valid just for a few minutes, and leave it there. A few paranoid folks might wonder, what if get a new OTP after the first one expire, they may assume it's another 1 in a million chance, and continue with their life. The truth is that when you calculate the actual chance of guessing an OTP one after the other, the odds are NOT 1 in a million. You will be surprised how the probabilities of guessing spiral once you start thinking of brute forcing OTPs one after the other, and what about parallelising the brute force among different users, the surprise is even bigger.

Dates

Author

Conferences

Tags

[T]OTPs are not as secure as you might believe

tldr - powered by Generative AI