Author

Topic: Many web wallets/exchanges only use an 80 bit shared secret for time-based 2FA (Read 447 times)

legendary
Activity: 3010
Merit: 1028
Leading Crypto Sports Betting & Casino Platform
exchanger really lack of security nowadays, no wonder some of them being hacked and lost few thousand btc like what happening before
hero member
Activity: 900
Merit: 1014
advocate of a cryptographic attack on the globe
Could the 2FA secret be calculated in a realistic time frame on those exchanges using 80 bit?
Depends how much money someone is willing to invest, but that number comes down every year.
legendary
Activity: 1512
Merit: 1012
Could the 2FA secret be calculated in a realistic time frame on those exchanges using 80 bit?
hero member
Activity: 900
Merit: 1014
advocate of a cryptographic attack on the globe
I took a look at the length of the shared secret, K, provided by the services listed below. They use the time-based OTP algorithm, RFC 6238. The HMAC-based OTP algorithm, RFC 4226, requires a 128 bit key and recommends a 160 bit key. RFC 6238 makes no such recommendation, although Google uses 160 bit and Amazon uses 320 bit for their own services. This is not an immediate practical issue, but these services should increase key lengths and be careful about using defaults.

320 bit
Amazon

256 bit
BTC-E

160 bit
Google
CEX.IO

120 bit
Kraken

80 bit
Coinbase
Bitstamp
Bitfinex
Poloniex
Purse
LocalBitcoins
OKCoin
Jump to: