The Time-based One-Time Password (TOTP) algorithm is a two-factor authentication (2FA) method that is widely deployed, but forces people to face a critical usability challenge: maintain access to the secrets stored within the TOTP app, or risk getting locked out of their accounts. Prior work has regularly confirmed that TOTP users are concerned about account lockout and, therefore, has called for improvements to backup and recovery mechanisms. However, the existing backup and recovery options for TOTP users were not well explored in the literature, which is a necessary starting point from which to design improvements. My work fills this gap and explores the functionality of existing backup mechanisms for TOTP users and how they get used in the real world.
We reverse engineered the top 22 general purpose Android TOTP apps and found that many backup implementations allowed the developer or other third-parties to access personal user information, had serious cryptographic flaws, and/or allowed the app developers to access the TOTP secrets in plaintext. Most backup strategies also ended up placing trust in the same technologies that TOTP 2FA is meant to supersede: passwords, SMS, and email. Next, we surveyed 330 current and former users of popular TOTP apps. A significant portion lacked basic awareness of account lockout risks. Two-thirds of current users had cloud backups enabled, exposing them to some of the security and privacy issues previously uncovered. Many of them did not know the feature existed nor that it was enabled, raising questions about whether they provided informed consent. The majority of current users were uncomfortable with anyone being able to read data from their cloud backups. About one third had experienced account lockout, but most regained access quickly using alternative 2FA mechanisms (e.g., SMS 2FA). Notably, 13% of current users had no TOTP backup plan at all, putting 10+ million people at heightened risk of account lockout when extrapolated across the 100s of millions of TOTP app users.