TOTP (algorithm)
   HOME

TheInfoList



OR:

Time-based one-time password (TOTP) is a
computer algorithm In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific problems or to perform a computation. Algorithms are used as specifications for performing ca ...
that generates a
one-time password A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
(OTP) that uses the current time as a source of uniqueness. As an extension of the
HMAC-based one-time password algorithm HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH). HOTP was published as an informational IETF RFC 4226 in December 2005, documenting th ...
(HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard . TOTP is the cornerstone of
Initiative for Open Authentication Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing memb ...
(OATH), and is used in a number of
two-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
(2FA) systems.


History

Through the collaboration of several OATH members, a TOTP draft was developed in order to create an industry-backed standard. It complements the event-based one-time standard HOTP, and it offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF. In May 2011, TOTP officially became
RFC RFC may refer to: Computing * Request for Comments, a memorandum on Internet standards * Request for change, change management * Remote Function Call, in SAP computer systems * Rhye's and Fall of Civilization, a modification for Sid Meier's Civ ...
6238.


Algorithm

To establish TOTP authentication, the authenticatee and authenticator must pre-establish both the HOTP parameters and the following TOTP parameters: * ''T'', the
Unix time Current Unix time () Unix time is a date and time representation widely used in computing. It measures time by the number of seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the beginning of the Unix epoch, less adjustments m ...
from which to start counting time steps (default is 0), * ''T'', an interval which will be used to calculate the value of the counter ''C'' (default is 30 seconds). Both the authenticator and the authenticatee compute the TOTP value, then the authenticator checks whether the TOTP value supplied by the authenticatee matches the locally generated TOTP value. Some authenticators allow values that should have been generated before or after the current time in order to account for slight
clock skew Clock skew (sometimes called timing skew) is a phenomenon in synchronous digital circuit systems (such as computer systems) in which the same sourced clock signal arrives at different components at different times due to gate or, in more advanced ...
s, network latency and user delays. TOTP uses the HOTP algorithm, replacing the counter with a non-decreasing value based on the current time: TOTP value(''K'') = HOTP value(''K'', ''C''), calculating counter value C_T = \left\lfloor\frac\right\rfloor, where * ''C'' is the count of the number of durations ''T'' between ''T'' and ''T'', * ''T'' is the current time in seconds since a particular
epoch In chronology and periodization, an epoch or reference epoch is an instant in time chosen as the origin of a particular calendar era. The "epoch" serves as a reference point from which time is measured. The moment of epoch is usually decided by ...
, * ''T'' is the epoch as specified in seconds since the
Unix epoch Current Unix time () Unix time is a date and time representation widely used in computing. It measures time by the number of seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the beginning of the Unix epoch, less adjustments m ...
(e.g. if using
Unix time Current Unix time () Unix time is a date and time representation widely used in computing. It measures time by the number of seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the beginning of the Unix epoch, less adjustments m ...
, then ''T'' is 0), * ''T'' is the length of one time duration (e.g. 30 seconds). Unix time is not strictly increasing. When a
leap second A leap second is a one-second adjustment that is occasionally applied to Coordinated Universal Time (UTC), to accommodate the difference between precise time (International Atomic Time (TAI), as measured by atomic clocks) and imprecise observe ...
is inserted into UTC, Unix time repeats one second. But a single leap second does not cause the
integer part In mathematics and computer science, the floor function is the function that takes as input a real number , and gives as output the greatest integer less than or equal to , denoted or . Similarly, the ceiling function maps to the least int ...
of Unix time to decrease, and ''C'' is non-decreasing as well so long as ''T'' is a multiple of one second.


Security

Unlike
passwords A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
, TOTP codes are single-use, so a compromised credential is only valid for a limited time. However, users must enter TOTP codes into an authentication page, which creates the potential for
phishing attacks Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
. Due to the short window in which TOTP codes are valid, attackers must proxy the credentials in real time. TOTP credentials are also based on a shared secret known to both the client and the server, creating multiple locations from which a secret can be stolen. An attacker with access to this shared secret could generate new, valid TOTP codes at will. This can be a particular problem if the attacker breaches a large authentication database.


See also

*
Botan (programming library) Botan is a BSD-licensed cryptographic and TLS library written in C++11. It provides a wide variety of cryptographic algorithms, formats, and protocols, e.g. SSL and TLS. It is used in the Monotone distributed revision control program, the Open ...
*
FreeOTP FreeOTP is a free and open-source software token that can be used for two-factor authentication. It provides implementations of HOTP and TOTP. Tokens can be added by scanning a QR code or by manually entering in the token configuration. It is m ...
*
Google Authenticator Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; sp ...
*
multiOTP multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the ...


References

{{refs


External links


Step by step Python implementation in a Jupyter Notebook

Designing Docker Hub Two-Factor Authentication
(section "Using Time-Based One-Time Password (TOTP) Authentication"). Internet protocols Computer access control Cryptographic algorithms