2

Recently when I was changing some Amazon account settings, I've noticed that they provide an option to validate the OTP by appending it to the password. How would this work, if the password is one-way hashed?

A screenshot of the Amazon OTP guidance

Den
  • 205
  • 2
  • 5

2 Answers2

3

The password is not hashed in the application but in the server. The server gets the password+OTP token in clear (protected with HTTPS between client and server) and can extract both password and OTP token from this, then proceed with normal password verification.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • What if one's password ends in six digits - would it mean that the Amazon service would need to do two-path validation, first through the entire string, and second time with the OTP separated? – Den Jan 20 '20 at 18:51
  • 2
    @DenDelimarsky: Either the server knows that OTP is expected at the end or it can simply try both variants. – Steffen Ullrich Jan 20 '20 at 20:21
  • 1
    @DenDelimarsky See also the answer to [Why can I log in to my Facebook account with a misspelled email/password?](https://security.stackexchange.com/q/214814/61744), where FB may hash several commonly-mis-typed variants of the password you supplied (e.g. if `oOPScAPSlOCKiSoN` fails, it may try `OopsCapsLockIsOn`). – TripeHound Jan 21 '20 at 12:10
1

Because it is stored as a one-way hash - since Amazon know how long the OTP part, is they trim that off what you typed before generating the hashed version to compare with what they have stored.

symcbean
  • 18,418
  • 40
  • 74