TOTP as password #1651
Description
Many encryption software including VeraCrypt support Password authentication. This is vulneable to keyloggers and screenshots. By adding TOTP as a password option, the attacker need to figure out:
- that the password is just a random number or TOTP,
- which the auth device ( TOTP app or device) is
This is important because
- current password method rely on
1 string. If it got stolen, you lost. - by using TOTP, if the attacker knows the password
12345678, it cannot be used anymore because the time cannot be reversed back. - also the user can nuke the TOTP app or device anytime, which can render attack(login) impossible.
Please DO consider this (how-to below)
Desired behavior
- In "Veracrypt encryption Wizard"'s password option UI, add "Use TOTP instead of password" or "Use TOTP with a password,"
1-1. The former will display QR code and ask you to scan it (without any backup tokens, just QR)
1-2. The latter ask you password.
When the user authenticate,
1-1. password will be: 12345678 (dervied from TOTP with computer time)
1-2. password will be 12345678MyExtraPasswordStringHere
Screenshots/Mockup/Designs
Additional information
Your Environment
Please tell us more about your environment
VeraCrypt version:
Operating system and version:
System type: