https://www.jonaslieb.de/tags/pentesting/Recent content in Pentesting on Jonas LiebHugoenMon, 09 Mar 2026 21:10:00 +0100https://www.jonaslieb.de/blog/totp-brute-force/Mon, 09 Mar 2026 21:10:00 +0100https://www.jonaslieb.de/blog/totp-brute-force/<p>There is this tiny statistics problem in IT security that almost nobody talks about, yet I have seen people get it wrong many times in the past: Calculation of the success probability of brute-force attacks against TOTP two-factor authenticators.</p> <p>As a reminder: TOTP tokens are defined in <a class="external-link" target="_blank" href="https://datatracker.ietf.org/doc/html/rfc6238" title="RFC 6238 (&#34;TOTP: Time-Based One-Time Password Algorithm&#34;)">RFC 6238 (&#34;TOTP: Time-Based One-Time Password Algorithm&#34;)</a>. They usually consist of six-digit strings that change every 30 seconds. The entire sequence of tokens is derived from a secret (and the current time) in a way that makes token prediction without the secret impossible. TOTP tokens are commonly used as a second factor, in addition to a user&rsquo;s password, reducing the impact of a potential password compromise.</p>