DEV Community

Cover image for 2FA with FIDO U2F / OTP / HOTP / TOTP
Peeyush Man Singh
Peeyush Man Singh

Posted on


Two-factor authentication (2FA) is an authentication method where the user is granted access only after successfully authenticating oneself via two mechanisms.

  1. Knowledge: something the user knows (eg. password, PIN)
  2. Possession: something the user has (eg. physical key, smartphone)
  3. Inheritance: something the user is (eg. fingerprint, iris scan)

With 2FA, a compromise of one of these factors will not provide access to the account. So, even if your password is stolen or your phone is lost, it is highly unlikely for the attacker to gain access to your account. Generally a combination of username/password and a second authentication factor is used to authenticate the user to the service.

Common 2FA authentication methods include:

  • Hardware tokens [FIDO U2F / HOTP]
  • SMS / Voice based [OTP]
  • Software tokens for 2FA [TOTP]
  • Biometric (Fingerprint, Retina pattern, facial recognition)

  • OTP - One Time Password

  • HOTP - Hash based One Time Password

  • TOTP - Time based One Time Password

  • FIDO U2F - Fast Identity Online Universal Second Factor


The user receives an SMS or a voice call with their One Time Password. OTPs are generated with algorithms generating random numbers. It is therefore also resistant to replay attacks since one OTP is only tied to one session. Industry standard algorithms such as SHA-1 generate OTPs with a shared secret and a moving factor.

Many services use SMS OTP as a second form of authentication. It might be more convenient, but is less secure. Sim porting attacks allows an attacker to take over the victim's number to their own device and receive SMS destined to the victim.


Similar to OTP, HOTP is generated with a shared secret and the moving factor is based on a counter. Each time HOTP is requested and validated, the counter is incremented. The HOTP generator and the server are synced each time the code is validated. To calculate an OTP, the shared secret and the counter are fed into the HMAC algorithm, which uses SHA-1 as a hash function.

The HOTP code is valid until a new code is generated, which is now seen as a vulnerability. Yubico's Yubikey is an example of OTP generator that uses HOTP.


TOTP is used to generate a regularly changing code based on a shared secret and current time. It is similar to HOTP, but the counter is replaced with timestamp values. Each code is generally valid for 30 seconds. If the code is not used in this window, it will become invalid and a new code has to be generated. The server should additionally account for time drifts.

Authenticator apps such as Google Authenticator, Authy, 1Password can be used to generate TOTP.

It is impossible for the attacker to guess the secret keys based on any OTP. OTP, HOTP and TOTP are still susceptible to phishing attacks. If a victim enters the username/password and the OTP into a malicious page, the attacker can quickly use them on the target site, thus gaining control of the user's account.


FIDO U2F is an open authentication standard, which allows users to access online services with a physical security key. It works out of the box without any device drivers or software installations. The user also does not have to type in the key unlike OTPs.

When the user first wants to register a key with an account, the security key generates a private key with a random number (nonce) and uses a secure hashing function to hash the nonce, domain of the website that the user is in in and a secret key. FIDO U2F uses HMAC-SHA-256 which is more secure than TOTP hash function (SHA-1). From this private key, a public key is generated with a checksum, also secured by secure hash and sends this to the server along with the nonce. The secret key never leaves the device.

For logging in after registration, the user needs to plug in the key and press the button. The server generates a challenge - a random number and passes this along with the nonce and checksum generated on registration. The security key applies the same process to generate the same private key and uses the checksum to confirm that the nonce did come from the device. The device then signs the challenge with the private key using ECDSA (Elliptic Curve Digital Signature Algorithm) and sends this to the server. The server verifies the signature using the public key.

Yubico Yubikey

Yubico Yubikey

Since the domain of the website is used to generate the key, during a phishing attack it will generate a different key and the checksum will fail. So the attacker cannot gain access to the real signature.

It is a hardware security token, so even if the computer is infected with malware, attackers wont be able to steal the secret key in it. The key also requires a human to physically press the button (HID protocol), so it cannot be activated remotely.

Even if an attacker manages to infect the server and steal the public key from the server, they would still not be able to sign the challenge and login. The private key is still stored in the security key. The challenge response mechanism also prevents replay attacks and the signature from the key is also single use.

The same U2F device can be used to authenticate for multiple services. There is no way for anyone to know it was the same device, even if they had access to both databases.

Most keys aren't Bluetooth enabled, so they don't require batteries or maintenance.

If the USB token is lost or stolen, there is no user information that is saved on it. They also can't be cloned, as the private information on the key can't be extracted. So it is impossible for an attacker to determine who it could be used for and on what services. Users can register two U2F devices with every service, so even if one key is lost the other one can be used to unlock the account.

However, the downside is that it costs money to buy a dedicated security key, unlike TOTP, which is free. Also you have to carry around a key and there are chances it might get lost or misplaced, so you need to have an additional key in a secure location, so that you don't get locked out of your account.

Yubico's Yubikey is a popular implementation of FIDO U2F. It works over USB and NFC.

FIDO U2F offers strong security with easy-to-use method, but comes at a cost, although relatively cheap (Yubikeys starting at €45). TOTP also offers good security for free of cost. Password and SMS OTP is still better than password alone. 2FA should be used as an additional security layer and not as to weaken existing ones, such as using weak password or using the same password everywhere.

Happy hacking!

Top comments (0)