Time-based One-time Password algorithm
   HOME

TheInfoList



Click Here for Items Related To - Time-based One-time Password algorithm
OR:
Time-based One-time Password algorithm on:   [Wikipedia]   [Google]   [Amazon]

Time-based one-time password (TOTP) is a computer algorithm that generates a
one-time password A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital dev ...
(OTP) using the current time as a source of uniqueness. As an extension of the HMAC-based one-time password (HOTP) algorithm, it has been adopted as
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
(IETF) standard . TOTP is a cornerstone of the Initiative for Open Authentication (OATH) and is used in a number of
two-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or Application software, application only after successfully presenting two or more distin ...
(2FA) systems.


History

Through the collaboration of several OATH members, a TOTP draft was developed in order to create an industry-backed standard. It complements the event-based one-time standard HOTP, and it offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and
security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...
guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF. In May 2011, TOTP officially became RFC 6238.


Algorithm

To establish TOTP authentication, the authenticatee and authenticator must pre-establish both the HOTP parameters and the following TOTP parameters: * ''T'', the
Unix time Unix time is a date and time representation widely used in computing. It measures time by the number of non-leap seconds that have elapsed since 00:00:00 Coordinated Universal Time, UTC on 1 January 1970, the Unix Epoch (computing), epoc ...
from which to start counting time steps (default is 0), * ''T'', an interval which will be used to calculate the value of the counter ''C'' (default is 30 seconds). Both the authenticator and the authenticatee compute the TOTP value, then the authenticator checks whether the TOTP value supplied by the authenticatee matches the locally generated TOTP value. Some authenticators allow values that should have been generated before or after the current time in order to account for slight
clock skew Clock skew (sometimes called timing skew) is a phenomenon in synchronous digital circuit systems (such as computer systems) in which the same sourced clock signal arrives at different components at different times due to gate or, in more advanc ...
s, network latency and user delays. TOTP uses the HOTP algorithm, replacing the counter with a non-decreasing value based on the current time: TOTP value(''K'') = HOTP value(''K'', ''C''), calculating counter valueC_T = \left\lfloor\frac\right\rfloor,where * ''C'' is the count of the number of durations ''T'' between ''T'' and ''T'', * ''T'' is the current time in seconds since a particular
epoch In chronology and periodization, an epoch or reference epoch is an instant in time chosen as the origin of a particular calendar era. The "epoch" serves as a reference point from which time is measured. The moment of epoch is usually decided b ...
, * ''T'' is the epoch as specified in seconds since the
Unix epoch Unix time is a date and time representation widely used in computing. It measures time by the number of non-leap seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the Unix epoch. For example, at midnight on 1 January 2010, ...
(e.g. if using
Unix time Unix time is a date and time representation widely used in computing. It measures time by the number of non-leap seconds that have elapsed since 00:00:00 Coordinated Universal Time, UTC on 1 January 1970, the Unix Epoch (computing), epoc ...
, then ''T'' is 0), * ''T'' is the length of one-time duration (e.g. 30 seconds).


Security

Unlike
password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...
s, TOTP codes are only valid for a limited time. However, users must enter TOTP codes into an authentication page, which creates the potential for phishing attacks. However, due to the short window in which TOTP codes are valid, attackers must proxy the credentials in real time. TOTP credentials are also based on a shared secret known to both the client and the server, creating multiple locations from which a secret can be stolen. An attacker with access to this shared secret could generate new, valid TOTP codes at will. This can be a particular problem if the attacker breaches a large authentication database.


See also

*
Botan (programming library) Botan is a BSD licenses, BSD-licensed cryptographic and TLS library written in C++11. It provides a wide variety of cryptographic algorithms, formats, and protocols, e.g. Transport Layer Security, SSL and TLS. It is used in the Monotone (softwar ...
* FreeOTP * Google Authenticator * multiOTP * Comparison of TOTP applications


References

{{reflist Internet protocols Computer access control Cryptographic algorithms