I work in IT and security is a major part of what I deal with day-to-day. My comparison takes into account the reality of the average human who might stumble across this thread in a Google search. I know people who still carry their Social Security card in their wallet, write their password on a sticky note and put it next to their keyboard, use a Debit Card instead of a Credit Card, even though they have a Credit Card but save the Credit Card for emergencies only, don't lock their credit reports (or even know you can lock your credit reports), etc. For someone like that, it would not be outside the realm of possibilities they would print the QR code on Fidelity's site and take no additional steps to protect it (put it in a safe, etc).Your apples-to-oranges comparison is not a valid security analysis. In your example, it is the protocol of replicating the TOTP seed to different devices, and not the design or implementation of the standard TOTP solution that gives rise to the slight reduction in security.
If you have VIP installed on a device that supports biometrics, you can turn that ability on in the app settings, just like other TOTP apps.The reason I consider the VIP app to be very slightly less secure is that I've not seen a way to protect it directly with a biometric authentication. If you use the soft version of Symantec VIP on a phone or tablet, there is the authentication to unlock the phone/tablet, which generally is perfectly adequate, but there are some scenarios where that would fail. With standard TOTP, some of the apps support setting a biometric authentication or pin to open the TOTP app. This is a slight increase in the level of security, but not a show stopper for the VIP app. This is not of great significance.
Agreed, even a short SHA1 seed from any TOTP solution, when coupled with a complicated password isn't likely to be a security concern, unless you're being careless with the seed itself, which is the heart of my comment.There also is the matter of length of the TOTP seed in an implementation, which turns out to be a bit of a rabbit hole in the analysis.
Statistics: Posted by volstagg — Sat Nov 09, 2024 3:58 am — Replies 7433 — Views 1431697