Shared Secret

Shared Secret, 2020, TOTP QR Code

Shared secrets are part of the invisible structure of society. They constitute a form of currency.

Computing security culture defines “secrets” as passwords, private keys, unguessable slices of entropy. They are to be revealed only briefly to cross the threshold of a computing system. The consequences of sharing them with attackers, which is to say other people, are catastrophic – leading to your presence in the system or the system itself becoming compromised, or 0wned.

Doing so is therefore strongly taboo.

Two secrets are stronger than one when establishing that the person presenting them is authentically the person they claim to be. To lose one secret may be regarded as a misfortune; to lose both looks like carelessness. The second “factor” of many such contemporary systems is generated by software using the “Timed One Time Password” (TOTP) algorith, which generates a new secret value every thirty seconds from a seed value.

Sharing the secret value compromises your security for the thirty seconds during which it is valid. Sharing the seed value means you can be 0wned permanently.

But if that seed isn’t being used for security purposes, sharing it is harmless. It becomes a shared secret in the sociological rather than the security culture sense, currency rather than taboo.

Doesn’t it?

Source code/image resources:

https://gitlab.com/robmyers/shared-secret