User:Huji/2FA
Two-factor authentication (2fA) uses a randomly generated secret key to prevent a hacker to login even if they have the username and password of a victim account. The key consists of 6 digits each ranging between 0 and 9. Let's assume that a hacker has found the password for an account that is protected by 2FA, he is able to check 200 secret keys per minute, and there is no throttling or account locking mechanism in place.
- Static key
There exist 1,000,000 possibilities for the secret key. If the secret key stays the same, it will take a maximum of 1,000,000 attempts, and on average, 500,000 attempts) to break in through brute force.
At a rate of 200 attempts per minute, 1,000,000 attempts will take minutes, which is equal to days. On average, half of that time is needed (i.e. about 1.74 days)
- Dynamic key
If the key is changed every 30 seconds, then the brute force attack is effectively reset every 30 seconds. It means in each 30-second period there is a probability of that the secret key is found and a probability of that it is not.
To know how likely it is that the password is still not found after a certain time period (measured in seconds), we can use this formula: . Each day contains periods. Therefore, to make it easier to compare the result with previous section, we can change the formula such that is measured in days, which gives us .
Solving this equation for the value gives us a number that is more or less comparable to the amount of time needed on average to break a static key (which was about 1.47 days). And the answer will be approximately 2.41 days.