This article is pointless clickbait - what percent of systems don't have some sort of throttling or lockout after X number of bad guesses - damn few I would say. Even the most basic, low budget systems I have developed or worked on have throttling rules in place - many with exponentially increasing timeouts that would prevent this sort of attack.

If a website/system does not implement even the most basic security practices, then there are probably a lot of easier ways to hack into in than trying 100,000+ different passwords in a row.

> Say you are thinking of a number between 1 and 10,000 and give me one thousand attempts to guess it. To make it harder, you change the number every 100 guesses. To make it harder still, you are thinking of changing it every 50 guesses. Would that work? Well, in the first case I get 100 guesses at 10 different numbers, in the second I get 50 guesses at 200 different numbers, but that makes no difference — I get the same number of guesses, and I only have to guess correctly once to succeed. Mathematically, it boils down to the fact that (xa)b=xab.

That's blatantly false, of course it makes a difference, because it makes the events stochastically independent.

If I choose a number between 1 and 10, and I give you 10 chances to guess it, you have 100% chances to guess it. If on the other hand I change it at every guess, you have only ~65% of chances to guess it.

Edit: fixed the % of chances, it is a binomial distribution, and I totally miscalculated it

I feel like the service has larger problems if they're allowing you 10 requests a second for 3 days...

> For a high value account, a motivated attacker can and will continue at this point. (And if you don't consider your accounts high value, why are you bothering with 2FA?).

Because credential stuffing is highly lucrative, even when no individual account is particularly high value, and is the most common way accounts are compromised on most services. There are other things a _user_ might do to prevent credential stuffing, like using unique passwords, but 2FA has the benefit of actually being visible/verifiable for you as a service provider.

>An alternative is account locking after a number of failures, which is much better. However it also brings problems. It means that your 2FA must only be accessible for people who already have passed one level of security, otherwise you have a denial of service vulnerability.

Isn't that how most 2fa flows work? You enter username + password, if it gets accepted you move onto a second page where you enter your 2fa code.

> Plus you need all the account unlocking procedures etc, and need to make sure they are secure, and not actually effectively another attack route.

But realistically speaking don't you need a password reset flow? If so you can just reuse the password reset flow for lockouts as well.

(I'm the cofounder at https://clerk.dev)

We - and I'm sure every other vendor - limit OTP tries.

The guidelines for authentication are very well-defined by NIST 800-63B. For example:

> In all cases, the authentication SHALL be considered invalid if not completed within 10 minutes.

https://pages.nist.gov/800-63-3/sp800-63b.html#5132-out-of-b...

Depending on the exact type of OTP, NIST may have different guidelines.

The thing I don't understand is why some OTP systems have started issuing 7-digit codes via text/email (e.g. Sendgrid). I have to imagine Sendgird is competent enough to lockout the account after a few failed OTPs and/or limit the duration a code is valid, so I don't understand the need for the extra digit. It makes mental chunking harder, and is nothing but security theater if the above two checks are in place.

I think what’s important here is when there can’t or won’t be a “lock out” after a certain number of tries. I’ve seen a few door locks based on TOTPish. They won’t lock you out because who knows why. You can just stick a device outside the door, slamming the BLE endpoint with codes until it unlocks, sorta like a proxmark used to do for keyless entries (maybe still does, haven’t messed with them since ‘08ish)

Its a shame the TOTP standard does nor support variable code length, 8 symbols seems to be better for high value accounts but still usable

Any site that allows you more than a few attempts at a time has already failed.

irrelevant, as OTP time out in minutes?

What I'm curious about is... If I collect 10 of your OTP keys, can I brute force the secret the generates them?