What is TOTP?
The abbreviation TOTP stands for Time-based One-time Password Algorithm. It is a method that generates time-limited, one-time use passwords for logging into a system. In contrast to HOTP (HMAC-based One-time Password), the procedure is time-based and not event-driven. In addition, there is no validation window with multiple simultaneously valid passwords.
The Initiative For Open Authentication (OATH) developed the procedure. It is standardized in RFC 6238, which was published in 2011. TOTP passwords are often used as part of two-factor authentication together with apps or tokens to generate the passwords. If unauthorized persons gain knowledge of a TOTP password, they can hardly use it because it loses its validity after just a few seconds.
How the Time-based One-time Password Algorithm works
The Time-based One-time Password Algorithm uses the Keyed-Hash Message Authentication Code (HMAC) to calculate time-based passwords. The generation requires a secret key agreed between the user and the system he wants to log in to, and time information synchronized between the user and the system. The time information is Unix time, which counts the seconds since January 1, 1970 00:00 UTC.
The number of seconds is rounded to 30 seconds. The algorithm generates a hash value from this rounded number and the secret key. It is truncated to a specific bit length and represented as a six- or eight-digit decimal number using a modulo operation. Since the calculation provides the same value for the user and the system due to the synchronous time information, authentication works. If sufficiently synchronized and accurate time information is not available, authentication fails.
Differentiation between HOTP and TOTP
In addition to TOTP, there is another method for generating one-time passwords called HMAC-based One-time Password (HOTP). HOTP is event-driven rather than time-driven. In addition to the secret key, an event-driven counter is used to generate the one-time password, rather than the rounded seconds value.
The counter is incremented by one for the generation of each new password. On the server, the counter also increases after each successful authentication. Since this method can cause the counters to diverge and usually does not allow constant synchronization of the counter, the servers usually accept a larger number of one-time passwords. This is called a validation window. Only if the one-time password is outside the window, the authentication fails and a new synchronization between the user’s token and the server must take place.
Since with TOTP, only one password is valid for about 30 seconds at a time, the method is considered more secure than HOTP.
Using the time-based one-time password algorithm for two-factor authentication
TOTP is often used to generate an additional authentication feature as part of two-factor authentication. It is generated using a special hardware token or an app on the user’s smartphone.
As a second factor, the time-dependent one-time password can only be used for a limited time thanks to TOTP. Since unauthorized persons can hardly come into possession of a one-time password and it is only valid for a short time, two-factor authentication via TOTP is considered extremely secure. However, the secret key used to generate the passwords must not become known to unauthorized persons.