21 Dec 2021
I read a blog post on welt's blog (welt.spiderden.net) about their opinions on why TOTP codes (commonly referred to as 2FA codes) should replace passwords.
In general, I wholeheartedly agree with the entire article. It would make accounts much more secure and would be way easier to use than remembering passwords especially for children and the elderly.
It also doesn't hide the prospect of downsides. It accepts that you'd have to store the unhashed token so both the server and user can generate 2FA codes and verify them but also tells us this tradeoff is small since the TOTP tokens will be unique for all services.
My only problem with this is most people will be using OTP tokens from their smartphone, a reliatively secure device on the software side, since most humans nowadays decide to take their phone around with them as it feels like a fifth limb, the possibility of losing your phone or having it stolen comes up.
You could also break or damage your phone in some way, like with water damage or dropping it face down. Most authenticator apps don't feature a way to backup locally, people opt for remote, cloud backups which are more insecure.
This is most likely gonna be immediately remedied with backup codes that the user downloads onto their computer, but an uninitiated user may not know how to use them and an unorganised user may actually find themselves in the situation where they have misplaced the codes or the drive the codes were on have corrupted and now they've permanently lost the data.
Of course, there are going to be downsides to all levels of security, passwords have the issue of reuse and forgetfulness, while TOTP codes have the issue of device damage and user mismanagement, I think TOTP would still make a secure replacment to passwords (plus my password manager KeePassXC can handle TOTP codes too ;D)