Why do Google 2-factor authentication SMS codes never start with a 0?

This is a classic implementation choice to help reduce data entry mistakes.

People who are in computer sciences or information security understand the difference between a text string and a series of digits that represents a value. But people who have been trained in finance, accounting, and other fields have been taught to truncate leading zeros when dealing with numbers. They are more likely to see a row of digits as a "number that has a value". For example, if they see "000001", their brain interprets this as the value "one". When it comes time to enter the code, they recall the value "one" and reflexively type "1". Numerically it's an equivalent value, but as a text string it's not an exact match.

The system designer has several options to deal with this.

  • They can generate codes with leading zeros and allow the few users to make the occasional mistake, forcing them to re-enter it. That can give the app a reputation that it is difficult to use.

  • They can change the input system to match on either text matches or numeric value matches. This increases the complexity of the user input logic in a critical security area of the code. The history of security flaws is a list of evidence that shows increases in complexity on processing user input increases the risk of coding errors that lead to vulnerabilities.

  • They can generate the code from a restricted set of numbers that never risks causing the user confusion. This reduces the possible number of valid combinations by about 10%, which the system designer must account for when computing the feasibility of a brute force or random guessing attack. And by shifting the complexity to the generation section of the code and away from the user input section, programming mistakes may be less likely to create vulnerabilities.

Ultimately, it's a human factors problem for a small fraction of the population. But security systems are already complex, time-consuming, and frustrating, so any usability issues that increase user frustration are really bad to intentionally keep in a security system (especially one you're trying to market commercially.)

Tags:

Sms

Entropy

Multi Factor

Related

Should I use CSRF protection for GET requests? Is a JWT usable as a CSRF token? How is it possible to do TLS through proxy without anyone noticing? Will Google block HMAC-SHA1 along with SHA1 signed certificates? When should server side sessions be used instead of client side sessions? Is this a self rolled hashing/obfuscation method? Can you recognize the pattern? Unknown process on my ubuntu machine communicating over multiple ports with UDP proto What prevents me from buying a SSL certificate for a domain I don't control? Why are programs written in C and C++ so frequently vulnerable to overflow attacks? I found unknown PHP code on my server. How do I de-obfuscate the code? Why hasn't anyone taken over Tor yet? If "you can never trust the client", then why do companies such as Valve rely solely on client-side verification?

Recent Posts