PeerAuth Uses TOTP for Human-to-Human Identity Verification in AI Era

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Security researcher Bruce Schneier on February 10, 2025, drew attention to PeerAuth, an open-source web application that adapts Time-based One-Time Password (TOTP) technology for a novel purpose: allowing two humans to verify each other's identity during voice or video calls. The tool addresses growing concerns about AI-generated deepfakes that can convincingly impersonate individuals in real-time communications.

PeerAuth, created by developer k_sze and released in early February 2025, generates unique QR codes that two people scan into their authenticator apps. When they need to verify each other's identity during a call, they can read the six-digit TOTP code aloud. Since both parties share the same secret key, their authenticator apps display identical codes at any given moment, providing mutual verification that the person on the other end possesses the pre-shared secret.

The project emerged from the developer's observation that while public-key cryptography offers stronger theoretical security, TOTP provides a more practical user experience for everyday identity verification. According to the developer's comments on Hacker News, the tool was built as a response to advancing AI capabilities that make voice and video impersonation increasingly feasible.

The approach leverages existing TOTP infrastructure that millions of users already employ for two-factor authentication. Rather than requiring new software or complex key exchanges, PeerAuth works with any standard authenticator application. The tool runs entirely in the browser with no server-side component, meaning the shared secrets never leave the users' devices.

On February 5, 2025, developer k_sze published PeerAuth on GitHub Pages and submitted the project to Hacker News, where it received 19 points and generated technical discussion about its security properties and limitations.

On February 10, 2025, Bruce Schneier, a cryptographer and security researcher known for his work on applied cryptography and security analysis, featured the project on his widely-read security blog. Schneier's post brought broader attention to the tool and the underlying problem it attempts to address.

According to the developer's statements on Hacker News, the project was created "after seeing what AI can do nowadays." The developer acknowledged that in an ideal scenario, public-key cryptography would provide stronger authentication guarantees, but noted that such solutions lack good user experience for non-technical users.

The developer disclosed that DeepSeek, an AI coding assistant, was used to generate the initial codebase, with manual corrections and internationalization features added afterward. The project is hosted on Cloudflare Pages and GitHub Pages, with the source code publicly available.

Figure 2: How the authentication bypass vulnerability works

The core technical claim of PeerAuth is that TOTP codes can serve as a practical mutual authentication mechanism between two humans. According to RFC 6238, the TOTP algorithm generates time-based codes using a shared secret and the current time, producing a new six-digit code every 30 seconds by default.

The developer stated that TOTP was chosen because it is "pretty widespread now, and you can easily read the TOTP code over the phone." The tool generates two QR codes with identical secrets but different labels, allowing each party to identify whose code belongs to whom in their authenticator app.

Discussion on Hacker News raised questions about the authentication model. One commenter noted that the system provides unidirectional authentication in a single exchange: Alice can confirm Bob knows the secret, but Bob must trust Alice's claim that the codes matched. The developer acknowledged this limitation and noted that waiting 30 seconds for the next code rotation allows roles to reverse for bidirectional verification.

PeerAuth offers several practical advantages for users concerned about identity verification:

The tool requires no new software installation beyond a standard authenticator app, which many users already have for two-factor authentication. Google Authenticator, Microsoft Authenticator, Authy, and similar applications all support the TOTP standard.

The web application runs entirely client-side, meaning shared secrets are generated in the browser and never transmitted to any server. Users can verify this by examining the source code or monitoring network traffic.

The approach provides a low-friction method for establishing identity verification between family members, colleagues, or business contacts who may need to confirm each other's identity during sensitive communications.

For organizations, the tool could supplement existing verification procedures for high-value transactions or sensitive discussions conducted over phone or video.

Figure 3: Privilege escalation from user to SYSTEM level

Several technical and practical limitations affect PeerAuth's security model:

The initial QR code exchange must occur through a trusted channel. If an attacker intercepts the QR codes during setup, they can impersonate either party indefinitely. The tool does not solve the initial key distribution problem.

As noted in Hacker News discussion, a sophisticated attacker conducting a real-time man-in-the-middle attack could potentially relay TOTP codes between two separate calls, one to each victim. The attacker would need to maintain both connections simultaneously and forward authentication codes in real-time.

The tool does not authenticate the communication channel itself. An attacker with access to the audio or video feed could theoretically inject or modify content while allowing legitimate TOTP exchanges to pass through.

Users of Tor Browser reported that the QR codes display as distorted vertical stripes due to the browser's anti-fingerprinting protections that randomize Canvas API output. The developer added a text-based secret display option to address this limitation.

TOTP authentication relies on a shared secret key and synchronized time between two parties. When both parties possess the same secret, their authenticator applications perform identical cryptographic calculations using the current time, producing matching six-digit codes.

The algorithm, specified in RFC 6238, divides time into 30-second intervals. For each interval, the authenticator computes an HMAC-SHA1 hash of the secret key combined with the current time interval counter. The resulting hash is truncated to produce a six-digit decimal code.

PeerAuth generates a random secret key in the browser using the Web Crypto API. The tool then encodes this secret into two QR codes following the otpauth:// URI scheme, which authenticator apps recognize. Each QR code contains the same secret but different labels identifying the two parties.

When users need to verify identity, one party reads their current TOTP code aloud. The other party checks whether their authenticator displays the same code. Since TOTP codes change every 30 seconds, an attacker would need real-time access to the shared secret to generate valid codes.

Technical context (optional): The security of TOTP depends on the secrecy of the shared key and the accuracy of time synchronization. Most authenticator apps tolerate clock skew of one or two time periods (30-60 seconds) to account for minor time differences between devices.

The emergence of tools like PeerAuth reflects growing concern about AI-generated synthetic media in real-time communications. Voice cloning technology has advanced to the point where convincing impersonations can be generated from short audio samples. Video deepfakes, while more computationally intensive, continue to improve in quality and accessibility.

Financial institutions and enterprises have reported increases in social engineering attacks that leverage AI-generated voice to impersonate executives or family members. The FBI and other agencies have issued warnings about "grandparent scams" and business email compromise attacks enhanced with synthetic voice.

PeerAuth represents a grassroots approach to the authentication problem, leveraging existing infrastructure rather than requiring new protocols or centralized services. The tool's open-source nature allows security researchers to audit the implementation and propose improvements.

The project also demonstrates the dual-use nature of AI coding assistants. The developer openly acknowledged using DeepSeek to generate the initial codebase, illustrating how AI tools can accelerate development of security-focused applications.

Several aspects of PeerAuth's practical deployment remain unresolved:

The tool does not specify recommended procedures for the initial QR code exchange. Users must determine their own trusted channel for sharing the setup codes, whether in person, through encrypted messaging, or other means.

Long-term key management presents challenges. If users lose access to their authenticator app or need to re-establish the shared secret, they must repeat the initial exchange process through a trusted channel.

The effectiveness of TOTP-based verification against sophisticated real-time attacks has not been formally analyzed. While the approach raises the bar for attackers, determined adversaries with sufficient resources might still conduct successful impersonation attacks.

Adoption patterns and user behavior with the tool remain unknown. Whether non-technical users can successfully deploy and use PeerAuth for its intended purpose has not been studied.

Several developments could affect the relevance and adoption of human-to-human authentication tools:

Standardization efforts around identity verification in real-time communications may emerge as deepfake concerns grow. Industry groups and standards bodies may propose more formal protocols for mutual authentication.

Authenticator app vendors may add features specifically designed for peer-to-peer verification, potentially with improved user interfaces or additional security properties.

Research into real-time deepfake detection continues to advance. If reliable automated detection becomes available, the need for manual verification procedures may diminish.

Regulatory responses to AI-generated impersonation in financial and legal contexts may drive adoption of verification procedures, creating demand for tools like PeerAuth or more sophisticated alternatives.

1. Schneier on Security - "Pairwise Authentication of Humans" - February 10, 2025 - https://www.schneier.com/blog/archives/2025/02/pairwise-authentication-of-humans.html

2. PeerAuth Project Page - https://ksze.github.io/PeerAuth/

3. Hacker News Discussion - "PeerAuth, TOTP-based peer authentication in the post-truth world" - February 5, 2025 - https://news.ycombinator.com/item?id=42942854

4. IETF RFC 6238 - "TOTP: Time-Based One-Time Password Algorithm" - https://datatracker.ietf.org/doc/html/rfc6238