Two-factor authentication (2FA) 鈥撯 otherwise called multi-factor authentication (MFA) 鈥撯 is one of the best precautions against cyberattacks an organization can adopt. MFA requires two or more factors to authenticate users to IT resources, usually 鈥渟omething they know鈥 (their credentials) in combination with 鈥渟omething they have.鈥 The latter can be anything from a numeric code sent to their phones via SMS to their fingerprint.
Admins often employ time-based, one-time passwords (TOTP) as the second factor. TOTP tokens are randomized, numeric codes generated by an app that automatically refreshes. TOTP 2FA offers many security benefits, but there are also a few drawbacks to consider. Check out the following pros and cons to find out if TOTP 2FA is right for you.
Overview of TOTP 2FA
In order for users to access their assets, their credentials must match what their organization has on file, and their TOTP code needs to match what the application or system has on their server. If the TOTP code doesn鈥檛 match, then the user will be denied entry.
Pros:
- Inexpensive to implement: Organizations often leverage TOTP 2FA because of how accessible it is. Most authentication apps that generate TOTP tokens are free or charge a small fee, so organizations of any size can secure their user鈥檚 identities if they choose.
- Lightweight: Organizations don鈥檛 need to install any new hardware for users to authenticate to their IT resources. All they need is an authentication app on their desktop, laptop, or phone. Most TOTP app providers offer 2FA for all those devices, so users can leverage whichever suits their needs.
- Remembers user accounts: When a user first attempts to access an application or system, their TOTP token generator saves and remembers it. This feature allows users to acquire their codes without WiFi access or cellular service, as their previous login attempts are saved to their device and will constantly have new codes generated for those resources.
- Can be used at scale: With the right provider, organizations can enforce TOTP 2FA at scale across all their IT resources. This includes heterogeneous systems, a vast array of applications, networks, and file servers.
Cons:
- Requires a user鈥檚 device: A user can鈥檛 receive their TOTP code unless they have their authenticator app at the ready. If they forget their phone at home or their device鈥檚 battery dies, they may be unable to access their IT resources.
- Fortunately, many web applications offer alternative ways to receive 2FA codes, which the user can opt for if they鈥檙e unable to retrieve their TOTP token from an authenticator app.
- Fast expiration: This can require a user to enter multiple TOTP codes in an effort to log in before the code expires, which takes additional time and may lead to account lockouts if they exceed their allotted attempts.
- Secret key: TOTP 2FA uses a shared between the authenticator app and the server hosting it. If a bad actor were to clone that secret key, they could generate valid codes at will and gain access to the user鈥檚 account.
Is TOTP 2FA Right For You?
TOTP 2FA may not be right for everyone. Organizations that deal with exceptionally sensitive assets may benefit from other types of 2FA, such as USB keys. But, for organizations with limited resources that still want to secure their identities and IT resources, TOTP may be their ideal choice.
To learn more about how 2FA can benefit your organization, contact us. We鈥檇 be happy to explain the security benefits and options for 2FA in your organization.
