One-time passwords (OTP) are widely used for two-factor authentication (2FA) and are considered a secure way to protect user accounts. However, in some cases, OTPs can be sent without rate limiting, leaving accounts vulnerable to brute force attacks. In this blog, we will discuss the dangers of OTPs without rate limiting, provide a practical example of how such an attack can be executed, and what can be done to prevent attacks.
What is OTP? OTP is a password that is valid for only one login session or transaction. OTPs are usually sent via SMS or generated by a mobile app, and are used in conjunction with a username and password to provide an additional layer of security for user accounts.
What is rate limiting? Rate limiting is a security measure that restricts the number of requests or actions that can be performed by an individual or IP address within a given time period. It is used to protect against brute force attacks, in which an attacker attempts to gain access to a user account by guessing the correct password or OTP.
No rate limiting over OTP Some applications or services do not implement rate limiting over OTPs, which makes them vulnerable to brute force attacks. Attackers can use automated scripts to send a large number of OTP requests to the target account without being detected. If the OTPs are not rate limited, the attacker can try all possible combinations of OTPs until they find the correct one and gain access to the account.
Practical example of an attack To demonstrate the dangers of OTPs without rate limiting, consider a scenario where an attacker wants to gain access to a user’s account. The attacker knows the user’s username and has obtained the target user’s phone number.
The attacker then uses an automated script to send a large number of OTP requests to the target account without being detected. If the OTPs are not rate limited, the attacker can try all possible combinations of OTPs until they find the correct one and gain access to the account.
For example, if the OTP is a six-digit number, there are one million possible combinations. With an automated script that can send 100 OTP requests per minute, it will take the attacker around 17 minutes to try all possible combinations. If the OTP is not rate limited, the attacker can keep sending requests until they find the correct OTP and gain access to the account.
Preventing attacks on OTPs There are several measures that can be taken to prevent brute force attacks on OTPs:
- Implement rate limiting: Implement rate limiting over OTPs to prevent attackers from sending a large number of requests within a short period of time. Rate limiting can be done based on the number of requests per minute or per hour.
- Use longer OTPs: Longer OTPs with more digits are more secure and less vulnerable to brute force attacks. A six-digit OTP can have up to one million possible combinations, while an eight-digit OTP can have up to one hundred million possible combinations.
- Use time-based OTPs: Time-based OTPs (TOTPs) are valid for a short period of time, usually 30 seconds. TOTPs can prevent replay attacks and are more secure than static OTPs.
- Implement account lockout: If an account receives a certain number of incorrect OTP attempts within a given time period, the account can be locked out. This prevents attackers from guessing OTPs indefinitely.
Conclusion OTP is a widely used security measure for protecting user accounts. However, OTPs without rate limiting can be vulnerable to brute force attacks. Implementing rate limiting, using longer OTPs, using time-based OTPs, and implementing account lockout can help prevent attacks on OTPs. It is important to keep security measures up to date and to stay informed about new security threats and best practices. By doing so, you can ensure