Network Working Group B. Contario Internet-Draft Silent Sector Intended status: Informational 25 September 2024 Expires: 29 March 2025 TOTP Secure Enrollment draft-contario-totp-secure-enrollment-00 Abstract This document describes a secure key exchange scheme that extends the Time-Based One-Time Password (TOTP) [RFC6238] de facto enrollment method to prevent compromise of the non-expiring TOTP key by photographic capture of the QR code or by intentional or unintentional persistence of the key string in email, SMS, or other systems outside of the TOTP authenticator system itself. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://Silent- Sector.github.io/totp-secure-enrollment/draft-contario-totp-secure- enrollment.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-contario-totp-secure- enrollment/. Source for this draft and an issue tracker can be found at https://github.com/Silent-Sector/totp-secure-enrollment. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 29 March 2025. Contario Expires 29 March 2025 [Page 1] Internet-Draft totp-secure-enrollment September 2024 Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminologies . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5 2. TOTP Background . . . . . . . . . . . . . . . . . . . . . . . 5 3. TOTP Enrollment . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Hexadecimal String Enrollment . . . . . . . . . . . . . . 6 3.3. QR Code Enrollment . . . . . . . . . . . . . . . . . . . 6 4. Enrollment Vulnerabilities . . . . . . . . . . . . . . . . . 7 4.1. Hexadecimal String Enrollment Vulnerabilities . . . . . . 7 4.2. QR Code Enrollment Vulnerabilities . . . . . . . . . . . 8 4.3. Elevated Risk for QR Code Enrollment . . . . . . . . . . 8 5. TOTP Secure Enrollment . . . . . . . . . . . . . . . . . . . 9 5.1. Mechanism of Operation . . . . . . . . . . . . . . . . . 9 5.2. Device Enrollment Data . . . . . . . . . . . . . . . . . 10 5.3. Secure Enrollment QR code Workflow . . . . . . . . . . . 12 5.4. Secure Enrollment Copy Paste Workflow . . . . . . . . . . 13 5.5. Workflow Notes . . . . . . . . . . . . . . . . . . . . . 13 5.6. Requirements . . . . . . . . . . . . . . . . . . . . . . 13 5.7. Reference Code . . . . . . . . . . . . . . . . . . . . . 15 5.8. Exclusions . . . . . . . . . . . . . . . . . . . . . . . 16 5.9. Alternative Network Transports . . . . . . . . . . . . . 16 6. Related Enhancements . . . . . . . . . . . . . . . . . . . . 16 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 7.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 17 7.2. TOTP secret key exchange . . . . . . . . . . . . . . . . 17 7.3. Secret key harvesting . . . . . . . . . . . . . . . . . . 17 7.4. Secure Enrollment Flag . . . . . . . . . . . . . . . . . 17 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . 18 Contario Expires 29 March 2025 [Page 2] Internet-Draft totp-secure-enrollment September 2024 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 19 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction The common practice of presenting a QR Code for TOTP enrollment exposes the actual shared TOTP secret key used by the TOTP algorithm for multi-factor authentication. A fallback method of showing the key string to be typed or copied and pasted into a multi-factor authenticator application also exposes the key. In both cases the key that is exposed is the permanent shared TOTP secret key that, by current standards and processes, is expected to never expire. The below process instead replaces the secret key in the QR code with a URL to the TOTP service for the authenticator application to get the secret key over a secure network transport. The URL provided uses a one-time use data token (nonce) so only one request for the secret key is honored. If both the user and an attacker use the URL, only one will get the secret key, and only the user will have an active session to complete enrollment by entering the proper TOTP value derived from the secret key. If the attacker gets the secret key, the user will not and the user will be forced to generate a new QR code with a URL to a new secret key until they successfully get the secret key and complete TOTP Verification by entering the current one-time password, meaning the attacker will be guaranteed to not have the same secret key. In cases where the URL to the TOTP service is not accessible, the legacy shared TOTP secret key exchange via QR Code or text string may be offered as a fallback with appropriate warnings displayed against key exposure. 1.1. Terminologies TOTP: Time-Based One-Time Password as described in [RFC6238], and by itself in this document referring only to the algorithm, not the implementation. TOTP secret key: the hexadecimal [RFC6238] string representing a value unique to each prover, per [RFC6238] section 3. hardware token: Usually a dedicated-purpose hardware device that is issued to users. In this document it refers to a device that is pre-set with a TOTP secret key used to display one-time passwords that provide prover functionality. soft token: Usually a software application that provides enrollment and prover functionality without dedicated hardware, usually running on a smartphone, tablet, personal computer, or password manager application. In this document it refers specifically to Contario Expires 29 March 2025 [Page 3] Internet-Draft totp-secure-enrollment September 2024 an application that stores a TOTP secret key and provides TOTP prover functionality. Sometimes referred to in other documents as a “soft token” or “software token”, as opposed to a “hardware token”. prover: In this document referring to an implementation of the TOTP protocol that provides a periodically changing one-time password based on the time and a TOTP secret key. A prover may be implemented as an authenticator application (software token) or implemented as a hardware token. nonce: a randomly-generated cryptographic data token that is used to prevent replay attacks by only allowing the value to be used once, somewhat analogous to a paper ticket that is torn in half or scanned and invalidated when presented for admission to a venue. TOTP service: A service used to enroll and verify the TOTP one-time password provided by a prover and associated with a specific authentication request. Also referred to as a “verifier” in [RFC6238], as described below. verifier: Per [RFC6238] section 3.R1, an authentication or validation server, and in this case for TOTP. enrollment: also referred to as _provisioning_ per [RFC6238] section 4.2, and _registration_ in [draft-strbac-totp2], the exchange of the TOTP secret key between the verifier and the prover, followed by the verification of the prover's one-time password by the verifier, and the respective secure storage and linking of TOTP secret key to an identity for MFA. URL: used explicitly in this document to specify a "Uniform Resource Locator" providing a location and means of access to obtain information via a transfer request. In this document expect the URL to require a transfer using the specified protocol to get the desired information. otpauth URI: used explicitly in this document to specify a "Uniform Resource Identifier" providing information for immediate use for TOTP enrollment, per [totp-uri-format] and [draft-linuxgemini-otpauth-uri]. In this document expect the otpauth URI to convey the desired information in a single step without an additional transfer step required. Contario Expires 29 March 2025 [Page 4] Internet-Draft totp-secure-enrollment September 2024 1.2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. TOTP Background The basis of TOTP [RFC6238] is a symmetric algorithm for both the prover and the verifier to combine a string containing a hexadecimal shared TOTP secret key and the current Unix time [UT] which are hashed using SHA-1 or a similar cryptographic hash algorithm. The result is converted to a decimal number and truncated, typically to 6 or 8 digits, to be used as the one-time password value that the prover supplies and the verifier accepts as valid only if it calculates the same one-time password value. TOTP requires that the TOTP secret key, as defined in [RFC6238] section 3 requirement R2, must be known by both the prover and the verifier. The original implementation of TOTP may have been intended for use primarily in hardware tokens that were factory-issued with an unchangeable TOTP secret key, which was a common practice for hardware tokens, since [RFC6238] did not define a protocol for the TOTP secret key exchange. However, increased use of mobile devices that synchronize their time with wireless communication providers and NTP servers have allowed for the proliferation of authenticator applications running on mobile devices, laptops, and desktop computers, all of which require receiving a unique TOTP secret key from each new verifier. Therefore, a protocol evolved as a de facto industry standard for enrollment to exchange the TOTP secret key, described in the next section. 3. TOTP Enrollment 3.1. Overview For consistency and specificity, the remainder of this document will use the term “TOTP service” in place of “verifier”. For TOTP enrollment using an authenticator application, it is most logical for the TOTP service to generate the shared TOTP secret key using cryptographically secure random number generators to ensure that each prover has a unique TOTP secret key that has not been used elsewhere. Therefore it is an accepted standard for the TOTP service to generate the key and store it securely, and for the authenticator application to simply accept and store the key in a secure manner. Contario Expires 29 March 2025 [Page 5] Internet-Draft totp-secure-enrollment September 2024 The current TOTP enrollment protocol was likely influenced or established by the [GoogleAuth] project, which provided a working reference system of two complementary methods for the TOTP service to share the TOTP secret key with the prover during enrollment, described as follows. 3.2. Hexadecimal String Enrollment The TOTP secret key itself is expressed as a hexadecimal string of an arbitrary length chosen by the TOTP service. During enrollment the TOTP service can display the randomly generated hexadecimal string to the user for them to type or paste into an authenticator application. 3.3. QR Code Enrollment To avoid typographic errors when the user enters the TOTP secret key into the prover that was provided by the TOTP service, the use of a [QR_Code] was introduced so that manual data entry was not required by the user. The QR Code encodes an otpauth URI scheme, per the [totp-uri-format] and proposed as a draft IETF standard [draft-linuxgemini-otpauth-uri] with the following parameters: algorithm=(SHA1|SHA256|SHA512|MD5) OPTIONAL, defaults to SHA1. secret=[websafe Base32 encoded TOTP secret key, no padding] REQUIRED, 128 bits or more. digits=(6|8) OPTIONAL, defaults to 6. period=N (totp specific) OPTIONAL, defaults to 30. The otpauth URI also includes a human-readable Label to identify the issuer and account name. Some TOTP services also supply a "user" parameter. Both the account name and user parameter could disclose the complete identity that the TOTP secret key applies to. Below is a fictitious example otpauth URI that could be encoded into a QR Code for the user "human@domain.com" using the ExampleCorp service: otpauth://totp/ExampleCorp%3Ahuman%40domain.com?secret=bl4gbf4ab5l3rj3d6htrxc6bqhrx3m7u&issuer=ExampleCorp and a urldecoded version of the text: otpauth://totp/ExampleCorp:human@domain.com?secret=bl4gbf4ab5l3rj3d6htrxc6bqhrx3m7u&issuer=ExampleCorp Contario Expires 29 March 2025 [Page 6] Internet-Draft totp-secure-enrollment September 2024 Of particular note is that the TOTP secret key value of the "secret" parameter is provided in BASE32 plaintext with no cryptographic protections of any kind, and no expiration or method of revocation for the TOTP secret key if the QR Code or otpauth URI is stored, copied, or transmitted beyond the intended use, or if the TOTP secret key is discovered compromised in any other way. 4. Enrollment Vulnerabilities The above two enrollment methods do not follow the recommendations listed in [RFC6238] section 5.1 stating: All the communications SHOULD take place over a secure channel, e.g., Secure Socket Layer/Transport Layer Security (SSL/TLS) [RFC5246] or IPsec connections [RFC4301]. This results in a wide range of vulnerabilities. 4.1. Hexadecimal String Enrollment Vulnerabilities Hexadecimal String Enrollment where the TOTP secret key string is visibly presented to the user is often vulnerable to compromise by the following non-exhaustive list of vectors: 1. a nearby observer viewing and remembering the visible TOTP secret key 2. a nearby observer photographing the visible TOTP secret key 3. the user copying the key to the computer's clipboard and then pasting the TOTP secret key into the prover during enrollment (which exposes the key to potentially malicious applications that monitor the clipboard contents) 4. the user copying the TOTP secret key to the computer's clipboard and then pasting the TOTP secret key into an email, instant message, or SMS message to send to another user for enrollment (which may persist the TOTP secret key in external or internal systems indefinitely) 5. the user copying the TOTP secret key to a computer's clipboard and then pasting into a file for later use (which which may persist the TOTP secret key to local or cloud storage) Contario Expires 29 March 2025 [Page 7] Internet-Draft totp-secure-enrollment September 2024 4.2. QR Code Enrollment Vulnerabilities Enrollment via [QR_Code] where the encoded TOTP secret key is visible presented to the user is often vulnerable to compromise by the following non-exhaustive list of vectors: 1. a nearby observer photographing the QR Code 2. the user copying the QR Code image into an email or SMS message to send to another user for enrollment (which may persist the TOTP secret key in external or internal systems indefinitely) 3. the user photographing the QR Code image on their mobile device for later use by the authenticator application (which may persist the TOTP secret key in external or internal systems indefinitely) 4. the user photographing the QR Code image on their mobile device to send to another user via email, instant message, cloud service, or SMS for enrollment (which may persist the TOTP secret key in external or internal systems indefinitely) 5. the user printing the QR Code image to complete enrollment later 4.3. Elevated Risk for QR Code Enrollment As described earlier, the string encoded in the QR Code is a [RFC3986] URI that contains all of the needed information to link the key to the TOTP service and the user with which it is associated, referred to in this document as an otpauth URI. The information provided in the QR Code greatly simplifies the TOTP enrollment since the user does not need to name the entry in their authenticator application or type in a hexadecimal string, so most users opt for the QR Code enrollment method. However, the tradeoff for this convenience is that the QR Code potentially contains all of the information needed by an attacker to log in to the associated target system as the associated user, except for the user's first factor password. If the target system is internet-facing and the login page can be identified by name or other intelligence, and the user's identifier is an email address that can be found in a database of accounts with compromised passwords, then having the TOTP secret key, also in the QR Code, potentially gives the attacker all of the factors needed to log in as the user to the target system. Contario Expires 29 March 2025 [Page 8] Internet-Draft totp-secure-enrollment September 2024 Because of the vectors by which the QR Code could be unintentionally exposed or stored on systems outside of the user's control for later harvesting, a secure enrollment method that does not expose the TOTP secret key is needed. 5. TOTP Secure Enrollment The following method protects the TOTP secret key via HTTPS/TLS as recommended in [RFC6238] section 5.1 when the TOTP service is accessible on a public or private network via a URL that can be generated by the TOTP service. Since this document is dealing only with TOTP implementations, the remainder of this document will prefer the shortened form of “Secure Enrollment” in place of “TOTP Secure Enrollment”, and “authenticator application” in place of “TOTP authenticator application” 5.1. Mechanism of Operation The "secret" parameter of the otpauth URI, as described in [totp-uri-format], normally only accepts a BASE32 encoded hexadecimal secret key. However, in a “Secure Enrollment otpauth URI”, the “secret” parameter MUST accept a urlencoded URL with a HTTPS protocol string. This URL, referred to from here forward as the “Secure Enrollment URL”, is how the authenticator application connects to the TOTP service to get a copy of the legacy otpauth URI that contains the secret key. The [RFC3986] URL specification requires the protocol in a URL be separated by a colon (“:”) which is urlencoded into “%3A”. Because both the “%” and “:” characters are not valid in BASE32 encoding, their presence in the “secret” parameter can effectively be used as a signal that the value of the “secret” parameter should be urldecoded and the resulting value used as the Secure Enrollment URL to request the original format TOTP otpauth URI containing the plaintext TOTP secret key via a network connection. To minimize the data that is stored in the Secure Enrollment QR code, all of the optional fields SHOULD NOT be included in the Secure Enrollment otpauth URI. Only the “secret” parameter of the otpauth URI should be populated (as shown below). *The actual enrollment data, in the form of an otpauth URI, used by the authenticator application does not change. The enrollment data simply gets delivered via HTTPS instead of embedded in a QR code.* Contario Expires 29 March 2025 [Page 9] Internet-Draft totp-secure-enrollment September 2024 The Secure Enrollment URL MUST include a nonce value that will be marked as invalid after first use by the TOTP service to insure that the request is only ever responded to one time only (not more than once). The Secure Enrollment URL gets added to the “Secure Enrollment otpauth URI”, then encoded into a QR Code, then displayed to the user, and then decoded by the user's authenticator application. A sample Secure Enrollment otpauth URI for ExampleCorp: otpauth://totp/?secret=https%3A%2F%2Fexamplecorp.com%2Fapi%2Fenrollmfa%2F16062671560671769238465892 The Secure Enrollment URL portion of the URI follows the “?secret=” portion and decodes to: https://examplecorp.com/api/enrollmfa/16062671560671769238465892 The authenticator application MUST make a HTTP POST request using the Secure Enrollment URL to retrieve the otpauth URI text string in the same legacy format used by authenticator applications prior to adoption of TOTP Secure Enrollment. It should also be noted that the use of a QR code is not required for Secure Enrollment. The user’s authenticator application could accept the Secure Enrollment URL via QR code, copy and paste, or manual entry of the Secure Enrollment URL text itself. 5.2. Device Enrollment Data TOTP enrollment has historically been a “blind” process because there was no direct interaction between the authenticator application and the TOTP service. Administrators had no information to help end- users that forgot what device or authenticator application they to use to get their 6 digit TOTP codes. Now the authenticator application makes a HTTP POST request to the TOTP service during Secure Enrollment, so there is an opportunity to send and capture information for administrators to provide hints about which device and authenticator application an end user should use to log in. When the authenticator application makes the POST request it SHOULD send a request body with device enrollment data in JSON format using Content-Type set to “application/json”. The sending of this enrollment data is optional. The recommended content of the JSON data is as follows: Contario Expires 29 March 2025 [Page 10] Internet-Draft totp-secure-enrollment September 2024 { "event_type":"totp-secure-enrollment", "time_local":"Sun, 22 Sep 2024 23:46:30 -0400", "time_utc":"2024-09-23T03:46:30.637Z", "device_model":"F990", "device_manufacturer":"Foo", "os_name":"android", "os_version":"12", "application_name":"Aegis", "application_version":"3.1.1", "location_description":"Cincinnati, Ohio, USA", "location_longitude":"-84.512", "location_latitude":"39.103" } All element values should be evaluated as strings and contain the following information: event_type: always the literal string "totp-secure-enrollment" for easy identification by humans and machine time_local: time of enrollment, recommended formatted as RFC 1123 Date Time for local time of the device for human readability time_utc: time of enrollment, ISO-8601 instant format recommended for machine readability device_model: the device model name or the model number device_manufacturer: the device manufacturer name os_name: the operating system name os_version: the operating system version in human readable form application_name: the authenticator application name or title application_version: the authenticator application version in human readable form location_description: if available and permitted, a descriptive name for the location of the device at the time of enrollment, preferably showing country, region / state / province, and municipality location_longitude: if available and permitted, the coarse longitude of the device at the time of enrollment Contario Expires 29 March 2025 [Page 11] Internet-Draft totp-secure-enrollment September 2024 location_latitude: if available and permitted, the coarse latitude of the device at the time of enrollment It is also optional, but recommended, for the TOTP service to store and/or parse the device enrollment data for future use. The data can be used for both end user assistance and administrative review of the different devices being used for TOTP Secure Enrollment. 5.3. Secure Enrollment QR code Workflow The Secure Enrollment ideal workflow will follow these general steps when using a QR code is viable: 1. *Enrollment Request*: The user initiates the enrollment process for TOTP for 2FA or MFA on their account. The user experience is then passed to the TOTP service. 2. *Secure Enrollment Preparation*: The TOTP service generates a nonce and a random TOTP secret key, storing them both temporarily in a secure location with a configurable validity period (expiration) for human interaction, such as 5 minutes. 3. *Secure Enrollment Presentation*: The TOTP service generates and presents to the user a QR Code that contains an otpauth URI in the format established by [GoogleAuth], but instead of the "secret" parameter containing the TOTP secret key, it contains a urlencoded network-accessible HTTPS URL with only a nonce and no secret key. 4. *User Interaction*: The user interacts with the TOTP authenticator application to scan the QR Code presented. 5. *Secure Key Request*: When the authenticator application detects a “%” or “:” character in the "secret" parameter value of the otpauth URI, the authenticator application performs the new Secure Enrollment functionality by urldecoding the “secret” parameter and using that value in a HTTP POST request. 6. *Secure Key Response*: When the TOTP service receives the HTTP POST request with the nonce, it looks up the nonce from temporary secure storage and if the nonce is not expired it returns the response (over the HTTPS/TLS secure channel) with the otpauth URI containing the secret key in the legacy de facto format, the same data that would normally be provided in the QR Code by the [GoogleAuth] code prior to implementation of Secure Enrollment. At the same time, the TOTP service optionally saves the JSON device enrollment data contained in the POST request body for future use. Contario Expires 29 March 2025 [Page 12] Internet-Draft totp-secure-enrollment September 2024 7. *TOTP Enrollment*: The authenticator application extracts the "issuer", "secret", "digits", and other parameters from the otpauth URI and registers a new entry in the authenticator application. This step is unchanged from the previous process, except the otpauth URI with the secret key is delivered via HTTPS rather than the QR Code. 8. *TOTP Verification*: The TOTP service presents a user interface that requires the user to enter the current one-time password and verify it before considering the user fully enrolled. 9. *Secure Enrollment Flag*: It is RECOMMENDED that in addition to the new TOTP secret key, the enrollment data stored by the TOTP service should include a Secure Enrollment flag to indicate that this enrollment was completed over a secure channel. This can be used for auditing purposes and to force users to re-enroll their TOTP authenticator application entries that were not completed in a secure manner in the past. 5.4. Secure Enrollment Copy Paste Workflow The Secure Enrollment ideal workflow will follow the same general steps as the above QR code workflow when it is easier to copy and paste a text string than to use a QR code, with the exception of the following two steps which are slightly modified and used instead of the same numbered steps: 3. *Secure Enrollment Presentation*: The TOTP service displays in selectable text the otpauth URI in the format established by [GoogleAuth], but instead of the "secret" parameter containing the TOTP secret key, it contains a urlencoded network-accessible HTTPS URL with only a nonce and no actual secret key. The user optionally copies the otpauth URI text into the clipboard or transfers it electronically. 4. *User Interaction*: The user interacts with the authenticator application by pasting or typing in the otpauth URI text and submitting it. 5.5. Workflow Notes In both the Copy Paste Workflow and the QR code Workflow, the final secret key that is enrolled is never exposed to the user, attackers, or other systems. The secret key is directly exchanged via HTTPS between the TOTP service and the authenticator application. 5.6. Requirements Secure Enrollment requires the following that is not already defined in [RFC6238]: Contario Expires 29 March 2025 [Page 13] Internet-Draft totp-secure-enrollment September 2024 1. The TOTP service MUST be able to create a Secure Enrollment URL to an API endpoint that can accept an anonymous HTTPS POST request. 2. The TOTP service API endpoint SHOULD be configured to require non-deprecated TLS ciphers via HTTPS. 3. The Secure Enrollment URL MUST be resolvable and accessible to the authenticator application via internet or private network connection at the time of enrollment. 4. The TOTP service MUST generate a cryptographically secure random string data token to be used as a nonce to both include in the URL and store in secure temporary storage to be accessed by the API endpoint. It is recommended that the nonce have at least 64 bits of entropy. Newly-generated GUID v4 or UUID v4 values are acceptable nonce values at the time of this writing. 5. The TOTP service MUST set a nonce validity period (expiration) for completion of the human actions. The nonce validity period SHOULD be reasonable for authorized users, such as 5 minutes into the future. 6. The TOTP service MUST NOT permanently store the generated secret key as enrolled until after the user has completed TOTP Verification by entering the current one-time password as a part of an existing user session authenticated with a previous factor. 7. The TOTP service MUST generate an otpauth URI that sets the "secret" parameter value to the Secure Enrollment URL generated per above requirements (instead of the actual TOTP secret key), encoding the parameter value per [RFC3986] section 2. 8. The TOTP service MUST exclude optional parts (per [totp-uri-format]) from the Secure Enrollment otpauth URI that is presented to the end user as a QR code or text string to limit data exposure. 9. The authenticator application MUST allow the otpauth QR code to exclude all optional data from the otpauth URI, including the Label and User parameter, only providing the “secret” parameter that is populated with the Secure Enrollment URL. 10. The TOTP service API endpoint MUST invalidate the nonce after its expiration period or upon first use by the API endpoint, whichever comes first, using appropriate concurrency locking mechanisms to avoid race conditions. Contario Expires 29 March 2025 [Page 14] Internet-Draft totp-secure-enrollment September 2024 11. The TOTP service MUST generate a new secret key any time a new nonce value is generated for a Secure Enrollment URL. To avoid any race conditions or other security concerns, if the user requests a new QR code or refreshes the page containing the otpauth URI or QR code, a new secret key and nonce value MUST be generated and supplied. 12. The TOTP service API endpoint MUST NOT respond with an actual secret key unless the nonce is found in secure temporary storage, is unused, and the current time is within the validity period. An affirmative response with a secret key MUST return an HTTP 200 success code with a response body containing a URL in the same format established by [GoogleAuth] as described in [totp-uri-format] with the “secret” parameter containing the BASE32 encoded secret key. 13. The TOTP service API endpoint SHOULD respond with a uniform HTTP 4xx series response error code and message whether the nonce is invalid or expired, preferably a 403 Forbidden response. In environments with specialized security needs the TOTP service API endpoint MAY choose to respond with any other non-usable response, including a TCP disconnect, 200 success code with a blank response, a URL with a decoy TOTP secret key, or any other response that serves the purpose of thwarting an attacker with a false positive response. 14. The TOTP service MAY offer a user-initiated option in the UI to switch to legacy enrollment. Prior to redirecting the user to legacy enrollment the UI SHOULD display a localizable message that warns the user to protect the legacy QR Code and/or the TOTP secret key string from observation and photographic or video capture, and avoid saving, sending, or transmitting them in any form to prevent compromise of the TOTP secret key. 5.7. Reference Code Pull requests illustrating reference implementations based on working open source code bases can be found here: TOTP Secure Enrollment authenticator application reference code [totp-secure-enrollment-reference-authenticator] TOTP Secure Enrollment server framework demo code [totp-secure-enrollment-reference-server] Contario Expires 29 March 2025 [Page 15] Internet-Draft totp-secure-enrollment September 2024 5.8. Exclusions TOTP Secure Enrollment does not claim or provide any additional benefit in the following non-exhaustive list of areas: 1. Protection of the secret key once it is stored in the authenticator application after successful Secure Enrollment. 2. If the device containing the authenticator application is obtained by an attacker or is compromised by malware. 3. Assisting in inventorying or tracking enrolled systems to invalidate the enrolled secret key. 4. Purposefully setting up the same TOTP enrollment on multiple authenticator applications for redundancy or shared accounts. This is a usage scenario for TOTP outside of industry best practices and incurs elevated risk. Secure Enrollment is not intended to protect or facilitate this. 5.9. Alternative Network Transports This document describes the Secure Enrollment process specifically using HTTPS as a secure network transport. In exceptional cases an alternative transport, such as SSH-2 or another protocol, might be required instead of HTTPS due to specialized requirements. The [RFC3986] URL value in the “secret” parameter of the [totp-uri-format] when using Secure Enrollment allows for other network transport protocols to be specified. Some of the functionality provided by the HTTPS POST request may not map directly to all network transport protocols, which may preclude the authenticator application from transmitting device and location information to the TOTP service, but should still allow for the secure exchange of the TOTP secret key. 6. Related Enhancements There are other efforts to improve the TOTP experience and security, such as proposed in draft [draft-strbac-totp2]. It is believed that the Secure Enrollment method described here can work in conjunction with and enhance the enrollment / registration process as described in [draft-strbac-totp2] section "3. Authentication Scheme Overview" to improve the security of the "TOTP2 Registration" step. 7. Security Considerations Contario Expires 29 March 2025 [Page 16] Internet-Draft totp-secure-enrollment September 2024 7.1. General All security considerations for the execution of TOTP and storage of the TOTP secret key are covered in [RFC6238]. 7.2. TOTP secret key exchange The secure exchange of the TOTP secret key MUST use a secure network transport protocol, such as HTTPS. The implementation of the protocol SHOULD follow industry best practices, such as: 1. TOTP service API endpoints only allow HTTPS SSL/TLS ciphers that are not deprecated by the industry. 2. TOTP service API endpoints advertise/enumerate the supported ciphers in preferred order of perceived security by traditional and quantum standards at the time of the exchange, always preferring ciphers that are deemed the most secure against "harvest now, decrypt later" attacks. 3. Authenticator applications negotiate the HTTPS SSL/TLS connection with ciphers in the order advertised/enumerated by the TOTP service API endpoint. 7.3. Secret key harvesting Once it is common knowledge that the legacy QR codes used for TOTP enrollment have no encryption or safeguards, and they can be reused since they contain the non-expiring secret key, attackers may start scanning images in cloud storage or sent via MMS that contain QR codes to harvest the secret key, along with the other details in the QR code otpauth URI. Identification of a target QR code is trivial once decoded into a text string since they all start with “otpauth://”. 7.4. Secure Enrollment Flag It is RECOMMENDED in the workflow above that in addition to the new TOTP secret key, the enrollment data stored by the TOTP service should include a Secure Enrollment flag to indicate that this enrollment was completed over a secure channel. It is also RECOMMENDED that action be taken against user accounts that do not have the Secure Enrollment Flag set on their accounts. This action could include, but is not limited to, one or more of the following options that could be happen after a given date for each option: 1. Manual human intervention and verification that the authorized user completes the new Secure Enrollment process. Contario Expires 29 March 2025 [Page 17] Internet-Draft totp-secure-enrollment September 2024 2. Disable the user accounts until option 1 is performed. 3. When the TOTP service detects success for a user with the Secure Enrollment flag set to false, fail the login, and send the user through the Secure Enrollment process. Once they complete it, the Secure Enrollment flag will be set to true and they will be able to log in normally using TOTP authentication. 8. IANA Considerations This document has no IANA actions. 9. References 9.1. Normative References [GoogleAuth] "Google Authenticator OpenSource", n.d., . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP: Time-Based One-Time Password Algorithm", RFC 6238, DOI 10.17487/RFC6238, May 2011, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [totp-uri-format] "TOTP URI Format", n.d., . 9.2. Informative References Contario Expires 29 March 2025 [Page 18] Internet-Draft totp-secure-enrollment September 2024 [draft-linuxgemini-otpauth-uri] Gemini, L., "The otpauth URI Scheme", I-D draft- linuxgemini-otpauth-uri, August 2023, . [draft-strbac-totp2] "TOTP2 Authentication Scheme", n.d., . [QR_Code] "ISO/IEC 18004, currently ISO/IEC 18004:2015 Information technology — Automatic identification and data capture techniques — QR Code bar code symbology specification", n.d., . [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . [totp-secure-enrollment-reference-authenticator] "TOTP Secure Enrollment reference authenticator application pull request", n.d., . [totp-secure-enrollment-reference-server] "TOTP Secure Enrollment reference server pull request", n.d., . [UT] "Wikipedia, "Unix time", February 2011", n.d., . Acknowledgments Thank you to Lauro Chavez and Zach Fuller at Silent Sector for their reviews, suggestions, and support. Thank you to Al Katawazi and Craig Tulli of Blueshift Technologies for reviews and feedback. Thank you to Mike Amundsen of Amundsen.com for guidance in starting the IETF draft process. Contario Expires 29 March 2025 [Page 19] Internet-Draft totp-secure-enrollment September 2024 Author's Address Brian Contario Silent Sector Email: bcontario@silentsector.com Contario Expires 29 March 2025 [Page 20]