Non #Brits can ignore this from the start but I am taking advantage of my new character limit to rant about The Archers and racism :)

This week’s BBC Radio 4 Feedback had a fun segment on the new Muslim characters in The Archers and their celebrations of Ramadan, which this year happens during Lent. It’s really brought out the little-Britain brigade, and shows why Nigel Farage is so popular – And why I left. There wasn’t a single non-racist caller-inner.

Here’s a summary of the calls to the BBC (whose mission from 1922 is to: “Inform, educate, entertain”) in case I ever decide I want to go back there in some mad moment of thinking I miss the place.

From Jackie in Surrey (It's always a Jackie in Surrey):

"I am a regular Archers listener, and I do want to pick the Archers up on the current focus on fasting for Ramadan. I am all in favour of diversity in explaining about Ramadan in this context but what about mentioning it is also Lent? I am an Orthodox Christian, and we also fast during the whole of Lent by cutting out meat, fish, dairy products, and cutting down the amount eaten. This has been the practice for centuries, and only the Western Christians over many years reduced this so that now fasting is almost unknown. But at the very least, Lent should be mentioned. Where is the vicar?"

[Note: Lent was very much mentioned, Linda and Mr Malec had a little verbal spar about which religion had to give up the most, and which was hardest: Lent or Ramadan – And all the other religious show characters are still doing Lent stuff.]

Hello, feedback. I'm Judith Conzen, and I'm phoning from Ilford in East London (And my racist tool for the day will be sarcasm, please Bob):

“I'm intrigued to note that Linda Snell is embracing religious practice and fasting for Ramadan. I'll be listening intently to hear if she follows up on Yom Kippur, which this year will fall on October 2.

From Patricia Farrell:

“I am shocked that during the time of Lent, a time that is sacred to followers of Jesus Christ, There is no mention at all of our Christian religion during this important period. It's very upsetting that the program supports Ramadan, but absolutely sidesteps any mention of lent. BBC bias? I think so.

Hello. My name is Morris Press, and I am from Teddington in Middlesex. [I could have guessed that within about 20 words]:

“I have been an Archer's listener for over sixty years. However, I never thought the BBC would impose their new woke policy on Ambridge. Last week's episode of the Malecs and Linda sitting down to a Ramadan meal and prayers was a real low for me.

Richard, Dumfriesshire (Aah! Finally a famously unsectarian and tolerant area):

“The Islamization of the Archers proceeds at pace with the Snells fasting for Ramadan as Easter approaches is Alan the vicar joining in with his Hindu wife Usha? We've always been told how racist the countryside is. Perhaps all will be resolved for the tearoom's pancake eating contest.”
…

Now some listeners echo the views of Sylvia Delico from Northamptonshire (Are we ever going to get any from Birmingham or Leeds?):

“Well, I'm not offended by the Muslim characters observing Ramadan [That’s nice of you!]. I do find it offensive that two Christian characters are being woke by fasting alongside them. This is supposedly a story of everyday country folk who live in a farming community; and are not led to promote the BBC's woke identity.”

From Andy [Who it seems has never listened to The Archers]

“The idea Linda Snell would fast is nonsense. It's one thing to introduce them to the village. No one could object to that. But the prayers and doctrine have no place in an everyday story of country folk.”

[“Them” – Yes Andy, we see, turn down that dog whistle won't'cha?]

[Narrative: In this case, it's not the inclusion of Ramadan, but the fact that one of the best known couples in Ambridge, Linda and Robert Snell, are joining in. How convinced are you, Cara, by Linda Snell's involvement? Some of our listeners are saying that it feels a little out of character. I disagree. I think this is absolutely something that Linda would do, and I kinda smirked when she, admittedly, a bit like a boy in the china shop, just went in and goes, I'm doing Ramadan with you.

Linda's a very curious person. She's somebody who's very interested, and she's also somebody that when they're in their guest house, she wants to make them feel as comfortable and at home as possible. And that, for me, I wasn't at all surprised when Linda said this. And, actually, within our group as well, people have really welcomed how this story line has played out, because they've learned quite a lot along the way as well about their neighbours or friends and their faith practice.]

----------------

As you were! Rant over!

The least secure TOTP code possible

https://shkspr.mobi/blog/2025/02/the-least-secure-totp-code-possible/

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?!

So let's try to find some edge-cases and see where things break down.

One Punch Man

This is possibly the least secure TOTP code I could create. Scan it and see whether your app will accept it.

What makes it so crap? There are three things which protect you when using TOTP.

1. The shared secret. In this case, it is abcdefghijklmno - OK, that's not the easiest thing to guess, but it isn't exactly complex.
2. The amount time the code is valid for before changing. Most TOTP codes last 30 seconds, this lasts 120.
3. The length of the code. Most codes are 6 digits long. In theory, the spec allows 8 digits. This is 1. Yup. A single digit.

If you were thick enough to use this1, an attacker would have a 1/10 chance of simply guessing your MFA code. If they saw you type it in, they'd have a couple of minutes in which to reuse it.

Can modern TOTP apps add this code? I crowdsourced the answers.

Surprisingly, a few apps accept it! Aegis, 1password, and BitWarden will happily store it and show you a 1 digit code for 120 seconds.

A few reject it. Authy, Google Authenticator, and OpenOTP claim the code is broken and won't add it.

But, weirdly, a few interpret it incorrectly! The native iOS app, Microsoft Authenticator, and KeepassXC store the code, but treat it as a 6 digit, 30 second code.

Do The Right Thing

What is the right thing to do in this case? The code is outside the (very loosely defined) specification. Postel's Law tells us that we should try our best to interpret malformed data - which is what Aegis and BitWarden do.

But, in a security context, that could be dangerous. Perhaps rejecting a dodgy code makes more sense?

What is absolutely daft2 is ignoring the bits of the code you don't like and substituting your own data! Luckily, in a normal TOTP enrolment, the user has to enter a code to prove they've saved it correctly. Entering in a 6 digit code where only 1 is expected is likely to fail.

We're Only Human

A one-digit code is ridiculous. But what about the other extreme? Would a 128-digit code be acceptable? For a human, no; it would be impossible to type in correctly. For a machine with a shared secret, it possibly makes sesne.

On a high-latency connection or with users who may have mobility difficulties, a multi-minute timeframe could be sensible. For something of extremely high security, sub-30 seconds may be necessary.

But, again, the specification hasn't evolved to meet user needs. It is stagnant and decaying.

What's Next?

There's an draft proposal to tighten up to TOTP spec which has expired.

It would be nice if the major security players came together to work out a formal and complete specification for this vital piece of security architecture. But I bet it won't ever happen.

• Google have archived their work on authentication standards.
• Apple points to Google's outdated spec.
• YubiCo's incompatible spec hasn't been updated in 4 years.
• The otpauth registration lists a consortium called https://openauthentication.org who don't appear to published anything in a decade.
• Microsoft don't have any documentation whatsoever.

So there you have it. We're told to rely on TOTP for our MFA - yet the major apps all disagree on how the standard should be implemented. This is a recipe for an eventual security disaster.

How do we fix it?

0. Yes! Just like Top of The Pops! The famous British TV show! Wow! I bet you're the first person in history to make that joke! Have a biscuit. ↩︎

1. Please don't! ↩︎

2. I wanted to use the words "utterly fucking stupid" but I felt it was unprofessional. ↩︎