Please correct me if I\'m wrong anywhere, but from what I understand , popular m

Question

Please correct me if I'm wrong anywhere, but from what I understand , popular mobile phone based two factor authenticators like Google Authenticator implements TOTP which uses a shared secret key that is shared between the phone and the authenticating server.

Why did they decide to use a single shared secret key when they could have used a public/private key pair? The phone would store the private key and can sign an increment counter/timestamp and the authenticating server could verify the signature with the public key. It seems more secure since a breach in the authenticating server wouldn't be able to compromise the user's secret key? Is there any advantages that a shared secret key provides?

Explanation / Answer

Path of least resistance.

Shared secrets are easier to use, which means easier to write implementations against. Public key systems are significantly more difficult to write implementations against, therefore fewer people will do it.

There are asymmetric key-based protocols out there that do offer more/different protections and change the security requirements significantly, but they are fundamentally more difficult to implement.

It's the same basic reason people still ask why static passwords still exist and why they weren't done away with 20 years ago with certificates and PKI -- because its a PITA and a significant investment to do correctly.

Related Questions

Navigate

• Browse (All)
• Browse P
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.