Time-based one-time passwords (TOTPs) are the standard one-time password computer algorithm. They extend the hash-based message authentication code (HMAC) one-time password (HMAC-based one-time password, or HOTP for short).
TOTPs can be used instead of, or as an additional factor alongside, traditional longer-lived two-factor authentication solutions, such as SMS messages or physical hardware tokens that can be easily stolen or forgotten. So what exactly are time-based one-time passwords? How do they work?
What is a TOTP?
TOTP is a temporary one-time code that is generated in line with the current time by a user authentication algorithm. There’s an extra layer of security for your accounts based on two-factor authentication (2FA) or multi-factor authentication (MFA). This means that after you have entered your username and password, you must enter a specific code that is time-based and short-lived.
TOTP is so called because it uses a standard algorithm to generate a unique and numerical one-time code using Greenwich Mean Time (GMT). This means that the password is generated from the current time in this period. The codes are also generated from a shared secret or secret seed password provided during user registration with the authentication server, either through QR codes or plain text.
This password is displayed to the user, who is expected to use it for a certain amount of time, after which it expires. Users enter their one-time password, username and regular password in a login form within a limited time. After expiration, the code is no longer valid and cannot be used on a login form.
TOTPs include a string of dynamic numeric codes, usually between four and six digits, that change every 30 to 60 seconds. The Internet Engineering Task Force (IETF) published TOTP, described in RFC 6238, and uses a standard algorithm to obtain a one-time password.
Members of the Initiative for Open Authentication (OATH) are the brains behind TOTP’s invention. It was sold exclusively under patent, and various authentication vendors have since marketed it after standardization. It is currently widely used by cloud application providers. They are easy to use and available for offline use, making them ideal for use on airplanes or when you don’t have network coverage.
How does a TOTP work?
As the second authorization factor on your apps, TOTPs add an extra layer of security to your accounts by requiring you to enter the one-time numeric codes before signing in. They are popularly called “software tokens”, “soft tokens”, and “app-based authentication” and find use in authentication apps such as Google Authenticator and Authy.
The way it works is that after you enter your account username and password, you’ll be asked to add a valid TOTP code in another login interface as proof that you own the account.
In some models, the TOTP comes to you on your smartphone via an SMS text message. You can also get the codes from an authentication smartphone application by scanning a QR image. This method is the most commonly used and the codes usually expire after about 30 or 60 seconds. However, some TOTPs can last 120 or 240 seconds.
The password is created on your side instead of the server’s using the authentication application. For this reason, you always have access to your TOTP so that the server does not need to send an SMS every time you log in.
There are other methods by which you can get TOTP:
- Hardware Security Tokens.
- Email messages from the server.
- Voice messages from the server.
Because TOTP is time-based and expires within seconds, hackers don’t have enough time to guess your passwords. In this way, they provide additional security to the weaker username and password authentication system.
For example, you want to log on to your workstation that uses TOTP. You first enter the username and password for the account, and the system asks you for a TOTP. You can then read it from the hardware token or QR image and enter it in the TOTP login field. After the system authenticates the password, it logs you into your account.
The TOTP algorithm that generates the password requires your device’s time entry and your secret seed or key. You don’t need internet connection to generate and verify TOTP, which is why authenticator apps can work offline. TOTP is required for users who want to use their accounts and need authentication while traveling on airplanes or in remote areas where network connectivity is not available.
How is TOTP authenticated?
The following process provides a simple and brief guide on how the TOTP authentication process works.
When a user wants to access an application such as a cloud network application, they are prompted to enter the TOTP after entering their username and password. They ask for 2FA to be enabled and the TOTP token uses the TOTP algorithm to generate the OTP.
The user enters the token on the request page and the security system configures its TOTP using the same combination of the current time and the shared secret or key. The system compares the two passwords; if they match, the user is authenticated and granted access. It is important to note that most TOTPs will authenticate with QR codes and images.
TOTP vs. HMAC-based one-time password
The HMAC-based one-time password provided the framework upon which TOTP was built. Both TOTP and HOTP share similarities, as both systems use a secret key as one of the inputs to generate the password. However, while TOTP uses the current time as the second input, HOTP uses a counter.
Furthermore, in terms of security, TOTP is more secure than HOTP because the generated passwords expire after 30 to 60 seconds, after which a new one is generated. In HOTP, the password remains valid until you use it. For this reason, many hackers can gain access to HOTPs and use them to carry out successful cyber attacks. Although HOTP is still used by some authentication services, most popular authentication apps require TOTP.
What are the benefits of using a TOTP?
TOTPs are beneficial because they give you an extra layer of security. The username-password system alone is weak and often vulnerable to Man-in-the-Middle attacks. But with the TOTP-based 2FA/MFA systems, the hackers don’t have enough time to access your TOTP even if they have stolen your traditional password, so they have little opportunity to hack your accounts.
TOTP authentication provides additional security
Cybercriminals can easily access your username and password and hack your account. However, with the TOTP-based 2FA/MFA systems, you can have a more secure account because TOTPs are timed and expire within seconds. Implementing TOTP is clearly worth it.