Why use one-time codes for two-factor authentication backups?

Compared with something like SMS or email OTPs, I don't think there's as strong a case to make these one-time-use, but the same arguments still apply.

Let's assume that I have the codes printed out on paper. Then during the recovery process, the recovery code passes through all of the following nodes:

Plaintext: My computer's keyboard, OS, browser
ENCRYPTED BY HTTPS: browser --> server's TLS endpoint (for ex. CloudFront)
Plaintext: TLS endpoint --> networking equipment --> application server
Plaintext: Application server <--> db <--> other internal compenents.

The point is that even with HTTPS, there are a lot of nodes that will have your code in memory (or maybe in logs) as part of the recovery process. If the code is multi-use, then you have to trust that every single one of those nodes is honest and not infected with malware. If the code is one-time-use, then once it's been used, you don't care if it ends up in logs or whatever.

It's not a rock-solid argument, but it's the best I can come up with.

Why use one-time codes for two-factor authentication backups?

Tags:

Authentication

One Time Password

Password Policy

Password Management

Multi Factor

Related

Recent Posts