Submit an Internet-Draft

idnits 2.17.00 (12 Aug 2021)

/a/www/www6s/staging/draft-strbac-totp2-00.txt:

  Showing Errors (**), Flaws (~~), Warnings (==), and Comments (--).
  Errors MUST be fixed before draft submission.  Flaws SHOULD be fixed before draft submission.

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Running in submission checking mode -- *not* checking nits according to
  https://www.ietf.org/id-info/checklist .
  ----------------------------------------------------------------------------


     No nits found.

ietf                                                           D. Strbac
Internet-Draft                                                   Mercata
Intended status: Informational                              23 July 2023
Expires: 24 January 2024


                      TOTP2 Authentication Scheme
                         draft-strbac-totp2-00

Abstract

   We present a second-factor authentication scheme that extends the
   Time-Based One-Time Password (TOTP) method to provide superior
   protection against phishing attacks.

   Unlike traditional one-time password flows that solely authenticate
   the user with the service, our approach introduces an extended flow
   that seamlessly authenticates both the user and the service to each
   other.  This enhanced process ensures a secure submission of the
   user's second-factor authentication via a secondary and secure
   communication channel.

   By verifying the service's authenticity to the user, our scheme
   establishes a robust defence against potential phishing attempts,
   enhancing the overall security of the authentication process.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 January 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.




Strbac                   Expires 24 January 2024                [Page 1]
Internet-Draft         TOTP2 Authentication Scheme             July 2023


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Naming  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Background  . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Authentication Scheme Overview  . . . . . . . . . . . . . . .   4
   4.  Detailed Scheme Description . . . . . . . . . . . . . . . . .   5
     4.1.  TOTP2 Registration  . . . . . . . . . . . . . . . . . . .   5
       4.1.1.  Registration URI  . . . . . . . . . . . . . . . . . .   5
     4.2.  Service OTC Generation  . . . . . . . . . . . . . . . . .   7
     4.3.  Service OTC Verification  . . . . . . . . . . . . . . . .   7
     4.4.  Client OTC Generation . . . . . . . . . . . . . . . . . .   8
     4.5.  Optional Password Entry . . . . . . . . . . . . . . . . .   8
     4.6.  TOTP2 Code Submission . . . . . . . . . . . . . . . . . .   9
     4.7.  Authentication  . . . . . . . . . . . . . . . . . . . . .   9
   5.  Recovery Procedure  . . . . . . . . . . . . . . . . . . . . .  10
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  12
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  12
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   The TOTP2 authentication scheme builds on the Time-Based One-Time
   Password (TOTP) algorithm method defined in [RFC6238].  It enhances
   the security by incorporating two TOTP shared secrets, strictly
   linked to a specific service, and provides a mechanism for securely
   transferring and verifying TOTP codes via HTTPS.  TOTP2 offers
   enhanced protection against phishing attacks without penalizing the
   user experience.









Strbac                   Expires 24 January 2024                [Page 2]