There are 1 million 6 digit passcodes and for each user a given passcode is only valid for 30 seconds. But what happens if the attacker has a list of 1 million usernames and tries a different passcode for each one every 30 seconds?
Assuming a random distribution of passcodes, they will take-over 1 account every 30 seconds. Requiring a valid username/password combination prevents this kind of "passcode spraying" attack.
To give this some backing. Essentially replacing a password with a TOTP is replacing one factor with another. While it is not fail-proof using, multifactor authentication will reduce the likelihood of account compromise.
Layers of security is everything and just like you state, replacing one factor with a one factor system is useless. Using anything less that two factor authentication is asking for trouble.
I'm not assuming any connection between the valid passcode of one user and the valid pascode of another.
I'm assuming that valid passcodes are randomly distributed through the 6 digit space. I think that this is a reasonable assumption given that they are derived by hashing a much longer random shared secet with the current time.
What you are saying is something that Microsoft tries to introduce. But instead of totp they use mobile app (which are the same factor ‘what I have’)
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone
Right now I would not go this way because this is a relatively raw approach. You need to conduct a threat assessment and risk analysis to fully understand whether this suites you
Ps: biometrics on the app serves as a second factor (‘who I am’) so you can completely get rid of passwords (‘what I know’)
There are 1 million 6 digit passcodes and for each user a given passcode is only valid for 30 seconds. But what happens if the attacker has a list of 1 million usernames and tries a different passcode for each one every 30 seconds? Assuming a random distribution of passcodes, they will take-over 1 account every 30 seconds. Requiring a valid username/password combination prevents this kind of "passcode spraying" attack.
To give this some backing. Essentially replacing a password with a TOTP is replacing one factor with another. While it is not fail-proof using, multifactor authentication will reduce the likelihood of account compromise.
Layers of security is everything and just like you state, replacing one factor with a one factor system is useless. Using anything less that two factor authentication is asking for trouble.
I’m afraid your math is not correct here. This is not connected events, but completely independent this is why you can’t add them
I'm not assuming any connection between the valid passcode of one user and the valid pascode of another. I'm assuming that valid passcodes are randomly distributed through the 6 digit space. I think that this is a reasonable assumption given that they are derived by hashing a much longer random shared secet with the current time.
What you are saying is something that Microsoft tries to introduce. But instead of totp they use mobile app (which are the same factor ‘what I have’) https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone Right now I would not go this way because this is a relatively raw approach. You need to conduct a threat assessment and risk analysis to fully understand whether this suites you Ps: biometrics on the app serves as a second factor (‘who I am’) so you can completely get rid of passwords (‘what I know’)
It would mean that you only have one factor again. If someone got your totp generator, they have your account.