TOTP vs. HOTP: Which Option Provides Better Passcode Protection
OTP (one-time password) started off in the early 1980s specifically to be used as a cryptographic hash function for an authentication system. Fast forward to today, nothing new here and many companies have since patented their own delivery system on how they generate and deliver these OTP codes. With this much time lapse into a technology, comes many attackers trying to compromise this technology through diverse ways and behaviors. In recent years, we have seen attackers continue to try to compromise MFA by circumventing it or by going through it with phishing attacks.
During the pandemic, the U.N. disarmament chief warned that cybercrime was on the rise, with a 600% increase in malicious emails. Leaving more known options like OTP more susceptible with the increase in attack and phishing campaigns. A study by Google show a device-based OTP prompts prevention rate from three different attack types. OTPs still helped prevent 100% bot attacks, 99% bulk phishing attacks, but only 90% targeted attacks. While better than SMS code options, it did not compare to security keys which thwarted 100% of all three attack types.
While we still stand on recommending security keys or Duo Push with Verified Push over other auth method options when feasible, we do still recognize that certain organizations, their environments, and where they are with their security journey still requires the ease and flexibility of OTP passcodes. We want to meet you where you are and in doing so, provide you with the most secure option possible. In this case, it is with TOTP.
What is HOTP, what is TOTP & what is the big difference?
There are two options when it comes to OTP. Hash-based Message Authentication Code (HMAC) based One-Time Password or HOTP for short and Time-based One-Time Password or TOTP for short. HOTP uses an event-based OTP algorithm which executes and invalidates during an event counter once a user uses the code. TOTP uses a time-based OTP algorithm which executes and invalidates from a specific time counter, once the countdown of time-to-use hits zero. Duo now has both options available for users, with our recommendation to move strictly to TOTP once your organization can (we will discuss how to achieve this below).
Why use TOTP instead of HOTP?
Given how each option operates, HOTP becomes more susceptible to successful compromise if an attacker can phish and harvest these codes from a user. Combining this with a compromised primary credential and the attacker can take their time to plan out an attack or even use it for monetary gain. TOTP can impede and stop these types of attacks even if a previous OTP code was harvested or phished from a user. The TOTP code will get invalidated after 30 seconds even if the user never used the code to begin with.
This raises the bar significantly from HOTP for organizations who do still need to rely on the OTP method. We know that it is still a very preventative measure in the three types of attacks from the study above; bot attacks, bulk phishing attacks, and targeted attacks. Primary credentials alone are still incredibly more vulnerable with 99.9% of accounts that are compromised do not have MFA and 50% of those are the cause of breaches.
How Duo Mobile TOTP settings are configured & things you should know
To find the settings, navigate to your Settings section in your Duo Admin Panel left menu bar. From here click on Duo Mobile App and locate the Passcodes section. You will have three options to prepare your migration to TOTP with a final option to permanently disable HOTP.
Do not generate TOTP codes in Duo Mobile.
Generate TOTP codes in Duo Mobile for specific groups.
Generate TOTP codes in Duo Mobile for all users. With an option to “Discontinue HOTP support permanently” when your organization is ready.
Prerequisite:
Mobile devices with Duo Mobile 4.49.0 or newer will generate TOTP codes when enabled in the setting above. Older versions of Duo Mobile will generate only HOTP codes.
Frequently asked questions:
I do not see the “Passcodes” setting at all in my Duo Admin Panel?
For customers who sign up a new Duo account after May 2024, these tenants will automatically be defaulted to utilize TOTP codes only. You will not see the “Passcodes” settings section shown below as this default is not interchangeable. This applies to both Users and Administrators.
What about my Administrators accounts?
Duo Administrators have been updated to support TOTP by default if they are on Duo Mobile 4.49.0 and later.
What if some Administrators still have an older version of Duo Mobile?
We will also support HOTP codes for Duo Administrators who have older Duo Mobile App versions until you change your Passcodes settings to “Discontinue HOTP support permanently” in your Admin settings. This is the only setting in the “Passcodes” configuration section that applies to both end users and administrators.
Best Practices for migration from Duo Mobile HOTP to TOTP
Given that this will be a change to the OTP method, we have implemented options in the settings to allow your organization to migrate to TOTP as slowly or quickly as feasible for your users. Note, the delivery, end users' usage, and experience does not change at all and will be seamless from an end user perspective. The main difference in experience will be the time allotted for the end user to input the code before it expires and the visible countdown on the end users Duo Mobile App screen once TOTP is enabled.
Fast big bang approach:
If it makes sense for your organization to implement this in one fell swoop you can opt to select the option to “Generate TOTP codes in Duo Mobile for all users” first. This will start enforcing TOTP to users on Duo Mobile App versions 4.49.0 and newer. Users with older Duo Mobile App versions will continue to get HOTP codes and work until you discontinue HOTP support permanently in your settings.
Planned Phased Approach:
If it makes more sense for your organization to test first and/or roll out in a methodical phased approach per groups of users, then you can opt to select “Generate TOTP codes in Duo Mobile for specific groups.” This way specific users you have added to the Group(s) in your setting will generate TOTP codes, while all other users will continue to generate and use HOTP codes. You can take your time adding groups to your setting until your organization is ready to activate TOTP codes in Duo Mobile for ALL users.
Disabling HOTP Codes in Duo Mobile App Permanently.
In both cases, we recommend waiting for a set period to review and monitor your users' authentications before completing the ultimate step of Discontinuing HOTP support permanently for Duo Mobile App. Two important notes:
This setting is only for Duo Mobile App and will not affect your OTP Hardware Tokens.
This setting is permanent once you save the discontinued use of HOTP codes. We cannot reverse this action with the main goal of all accounts utilizing a more secure option in TOTP for your Duo-protected apps.
Easily monitor & keep track of your migration with Duo’s robust logging & reporting
You administrators will have complete visibility during testing, migration, and finally disabling HOTP codes through Duo’s authentication logs. From Duo’s authentication logs, you will see a clear distinction between users who use HOTP and TOTP codes to help your organization through the process of migrating to TOTP in the various stages as shown in the example below. To get to your logs, you can gather them directly in your Duo Admin Panel by navigating to Reports → Authentication Log and through Duo’s Admin API (application programming interfaces) for a customized view.
While TOTP is not a “one solution to rule them all” to stop all phishing attacks it is a step forward to dramatically increase the prevention of this attack vector that HOTP brings to the table. Making it more difficult to compromise users' accounts. In your journey to a Zero Trust architecture and hardening your security posture with all the old and new ways attackers try to compromise your environment, Duo has all the tools you need to make a big dent in the progress to thwarting cyber criminals and increasing your security.
On top of TOTP, you can layer additional security features to add to your arsenal with Duo like Risk-Based Authentication with novel IP detection for codes and impossible travel, Trusted Endpoints to only allow access to a Trusted machine deemed by your organization, passwordless authentication, and Single Sign-On to name a few.
For interested customers who would like to continue the conversation with a trusted advisor and further strategize a customized plan for your migration and best practices, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.
Additional resources
Google Security Blog - New research: How effective is basic account hygiene at preventing hijacking