Computing desk
< May 16	<< Apr \| May \| Jun >>	May 18 >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

May 17

Two-factor authentication

Why 2FA such as Google Authenticator is safe? If I know someone's password, open a bunch of programs to submit all the codes generated in one minute to make a Brute-force attack, is it still safe? -Lemonaka‎ 07:55, 17 May 2023 (UTC)[reply]

Generally you cannot submit more than a few codes a minute (say 6 or so) and the code to use changes every 30 seconds. So theoretically you could get lucky, but your chances won't be very high. Not sure what the opening of a bunch of programs has to do with it.... —TheDJ (talk • contribs) 09:27, 17 May 2023 (UTC) In other words you get locked out if you fail three times.[reply]

The authentication servers I am familiar with (RSA for example) allow only three tries to match a randomly generated code. No, brute force attacks will not work. Elinruby (talk) 04:03, 20 May 2023 (UTC)[reply]

It appears that the suggestion is to open 10,000 instances of the login for some secured application and automate the process of logging in with a username and password and then have each of the 10,000 instances try every possible 2FA sequence from 0000 to 9999 all at the same time. One of them (technnically 2 to 4 of them) will get it correct. If the backend is developed by someone who doesn't know what they are doing, this could work. The backend should recognize that the same username/password is being used 10,000 times all at once and each of those is waiting for 2FA at the same time. So, even if you use the correct 2FA, it won't be allowed. But, security is only as good as the ability of the person implementing it. 97.82.165.112 (talk) 13:03, 17 May 2023 (UTC)[reply]

Any competent WAN admin will have multiple layers of security, yes. Authentication is just one measure, and 128 bit is ideal. But beyond that it depends a lot on whether the setup is for Joe's Bait Shop or Pemex so it is pretty much impossible to discuss this in the abstract. And BEANS. Elinruby (talk) 04:16, 20 May 2023 (UTC)[reply]

Without regards to a specific implementation or use; many systems have a login throttle implemented, which is designed to prevent brute-force attacks; it only allows a relatively small number of login attempts in a set period of time. --Jayron 32 14:24, 17 May 2023 (UTC)[reply]

Note that standard Google Authenticator TOTP is 6 digits, so 10k is off by two orders of magnitude. Nil Einne (talk) 06:38, 18 May 2023 (UTC)[reply]

Yeah, thanks for clarifying. I didn't want to say it so comprehendible. Some LTA is trying to crack everyone's password and letting these out maybe WP:BEANS for them.
Anyway, I didn't test whether wikimedia has such protection against brute-force attacks. It's unlikely common login attempts because all the attempts are with correct password and hackers just have to leave a lot of pages for 2FA certification. Then they will submit bunch of 2FA codes, nearly 10K. If one of them got right, then they can have your account's access. -Lemonaka‎ 19:19, 18 May 2023 (UTC)[reply]