SHA1-based TOTP 2FA vulnerable to attacks? Improve security with stronger hashing algorithms like SHA-256 & SHA-512. Research on Authenticator app support shows limited support for stronger hashing. Keycloak, AWS Cognito, and others use SHA-1 by default. CoGuard's application discovery tools help identify misconfigurations and reduce exposure risk.
We all use them nowadays without thinking much: Authenticator applications.
There are a variety of two factor authentication (2FA) Authenticator applications available:
One of the reasons for the breadth of available applications the functionality of Time based One Time Password algorithm (TOTP) is so simple. The applications require:
Then the (usually) 6-digit numbers that change every 30 seconds (this duration can be configured) are basically truncated HMAC authentication tokens with a secret key and the current counter value as a message.
The HMAC portion requires a hash algorithm to be used. The year the RFC6238 came out was 2011 (and the underlying HOTP RFC was published in 2005), and it is surprising that SHA1 has been chosen and SHA256 and up are put as something implementations “may use”. The reason it is surprising is because SHA1 was already marked as deprecated that year by NIST. In 2017, a group of researchers published a significant improvement to attacking the SHA1 hashing algorithm compared to birthday attacks.
While it is not entirely quick and easy to find SHA1 collisions, it is a matter of time until further improvements are made, and keeping relying on SHA1 as the underlying hash algorithm is not a good idea.
From the introduction, you can probably already deduce two sides of the problem when trying to improve the security here:
Let’s look at the server-side first.
Most authentication server providers do not give their users the option to configure a more secure hashing algorithm including SHA-256 or greater.
The support for stronger hashing on the application end is limited. We conducted research on Authenticator application support for stronger hashing including SHA-1, SHA-256 and SHA-512.
Client authenticator applications were tested in a test environment with a Keycloak version 24.0.3.
** As of May 6, 2024.
It appears that it is only a matter of time until someone creates a curated attack for the SHA-1 based TOTP design. It would be an interesting research problem, also given that an attacker may be able to collect a few samples.
We expect the different software providers and applications to increase their support, especially through some compliance pressure, i.e., NIST retiring SHA-1 support for US Federal Government by Dec 31, 2029.
At CoGuard, we don’t want this exposure to go unnoticed for the next 5 years. We provide tools for customers to identify applications and configurations to reduce misconfiguration risk. CoGuard application provides application, container and network discovery tools to automate the identification of the configurations for used and unused applications in an infrastructure. CoGuard extracts the configurations for all of the above Authentication and Identity Providers. And produces configuration warnings if we detect either a specifically configured SHA-1 algorithm for 2fa, or if a software on the server-side is being used which does not support setting the hash algorithm to anything but SHA-1 (see e.g. Cognito).
