问题
Is it safe to share 2FA codes? I'm talking about TOTP like Google Authenticator or Authy.
For example, if i have code and generation time, is it possible to predict new codes? What if i have more than 1 pair of code+time?
I think it's possible to predict new codes based on old information (code+time).
So if this is possible, how do I do it? Im looking for some algorithm.
Known Time period, time, code and secret length.
Example:
22:20:30 561918
22:21:00 161664
22:21:30 610130
回答1:
Internally, these 2FA generators usually work based on a time-based one-time password algorithm. Those algorithms work by using strong hash functions on a combination of two values: a shared secret and the current time increment, and specifically use a construction called HMAC that’s known to be secure provided the underlying hash function is.
As a result, if someone could predict future outputs of your 2FA device by seeing some timestamps and outputs from the 2FA device, then they would either (1) have to know the shared secret or (2) be able to break the HMAC. Both of these are unlikely unless someone either has hacked Google or knows of attacks on HMAC or the underlying hash function in ways beyond what’s in the public literature.
In other words, you shouldn’t need to worry about someone guessing future values given past values, though I’d still advise against giving out old values because you shouldn’t be giving out 2FA values to anyone except the site you’re logging into. :-)
来源:https://stackoverflow.com/questions/61263117/is-it-possible-to-predict-future-2fa-values-given-older-values-with-timestamps