User:Huji/2FA

Two-factor authentication (2fA) uses a randomly generated secret key to prevent a hacker to login even if they have the username and password of a victim account. The key consists of 6 digits each ranging between 0 and 9. Let's assume that a hacker has found the password for an account that is protected by 2FA, he is able to check 200 secret keys per minute, and there is no throttling or account locking mechanism in place.


 * Static key

There exist 1,000,000 possibilities for the secret key. If the secret key stays the same, it will take a maximum of 1,000,000 attempts, and on average, 500,000 attempts) to break in through brute force.

At a rate of 200 attempts per minute, 1,000,000 attempts will take $$1,000,000 / 200 = 5,000$$ minutes, which is equal to $$5,000 / (60 * 24) \approx 3.47$$ days. On average, half of that time is needed (i.e. about 1.74 days)


 * Dynamic key

If the key is changed every 30 seconds, then the brute force attack is effectively reset every 30 seconds. It means in each 30-second period there is a probability of $$\frac{100}{1,000,000}$$ that the secret key is found and a probability of $$1- \frac{100}{1,000,000}$$ that it is not.

To know how likely it is that the password is still not found after a certain time period $$t$$ (measured in seconds), we can use this formula: $$( 1 - \frac{100}{1,000,000})^{t/30}$$. Each day contains $$24 (hours) \times 60 (minutes in each hour) \times 2 (30-second periods in each minute) = 2,880$$ periods. Therefore, to make it easier to compare the result with previous section, we can change the formula such that $$t$$ is measured in days, which gives us $$p = ( 1 - \frac{100}{1,000,000})^{2880 \times t} = (\frac{9,999}{10,000})^{2880 \times t}$$.

Solving this equation for the value $$ p = 0.5 $$ gives us a number that is more or less comparable to the amount of time needed on average to break a static key (which was about 1.47 days). And the answer will be approximately 2.41 days.