
Ask HN: Why don't more apps use OTP as the first factor? - theschmed
Hi,<p>Is there a reason besides inertia why most applications that require authentication use a secret like a password for the primary factor, rather than using a OTP app?<p>For context about me: I am pretty new to programming, learning web application development. So maybe this would be a Very Bad Idea, and I just don&#x27;t know why yet!<p>But it seems to me that some advantages of using a OTP would be:<p>1. It would be easier to temporarily grant someone else access to your account - as long as the app gives you a way to log out all other sessions and reauthenticate<p>2. It would remove the burden of remembering&#x2F;managing unique passwords from the user
======
gpapilion
Otp apps require a device or a token. Requiring this removes the ability for a
user to get in if their phone is dead, or lost. The support burden is also
higher for a reset. Nothing is a show stopper, but also painful enough to
prevent wider adoption.

Back in the old days you used to get single use passwords for secure system.
This creates a similar problem, where loosing the sheet meant you needed new
passwords.

~~~
ksaj
When I worked in Zurich, OTP was handled in exactly this way for visitors like
myself. The company I was working with referred to it as a strike list.

------
bruce511
An OTP falls into the "something you have" category[1] whereas passwords are
in the "something you know" category.

Things you have are generally less convenient than things you know - which is
why they're typically the 2nd factor, not the first factor.

[1] I'm assuming you need something to tell you the OTP - that you haven't
memorized them all.

------
gtsteve
For example, there are 999999 combinations for TOTP. You might not be able to
get through all those combinations in 30s but you could probably get through
enough to give you a good chance of access on a long enough timeline.

So, you lock out IP addresses. The attackers move to using a botnet.

So, you lock out specific accesses to an account. The attackers can't move
forward now but they can quite easily and cheaply deny access to a given
account indefinitely.

So when implemented correctly, with a strong enough password policy and a way
to introduce delay, i.e. with bcrypt2 and IP address locking, etc, 2FA makes
it more difficult. The time to access is considerably longer for an attacker.

Of course, you've got similar problems with a password and a second TOTP but
you've increased the difficulty level massively as the attacker must now have
a working password before they can work on the 2FA dialog. At this point, you
can easily spot suspicious behaviour and warn users, etc.

~~~
godot
Maybe I misunderstood the OP or the standard usage of the acronym OTP/TOTP is
only for referring to 2FA tokens?

I interpreted his question to mean a one-time-password, not necessarily a
numeric 2FA token, but a string password with ascii characters, with any
length (or a reasonably long one at least), emailed or SMS'd to the user.

I don't have a great answer for OP other than, I've seen some big sites do it.
For example, I never remember the password of my rarely-used Twitter account.
Every time I have to log in, I use the OTP feature and get emailed a login
link.

~~~
theschmed
Password resets are a great example of an almost universal usage of OTP, thank
you.

Of course, they deliberately discourage you from using that regularly, by
making you set a new passphrase when you log in from a "magic link" sent by
email.

------
gabrielsroka
I think Okta can do (something like) this:
[https://help.okta.com/en/prod/Content/Topics/Security/mfa-
fa...](https://help.okta.com/en/prod/Content/Topics/Security/mfa-factor-
sequencing.htm)

------
muzani
It also means one point of security. Anyone with my phone has access to the
OTP as well.

------
Raed667
Most users don't even know what an OTP is.

