What Is a Time-Based One-Time Password and Should You Use One?

A padlock with codes placed on a keyboard beside a card with a chip

Time-based one-time passwords (TOTPs) are the standard one-time password computer algorithm. They expand on the hash-based message authentication code (HMAC) one-time password (HMAC-based One-time Password, or HOTP for short).

TOTPs can be used in place of, or as an additional factor alongside, traditional, longer-lived two-factor authentication solutions, such as SMS messages or physical hardware tokens that can be stolen or forgotten easily. So what exactly are time-based one-time passwords? How do they work?

What Is a TOTP?

TOTP is a temporary, single-use passcode generated in line with the current time by an algorithm for user authentication. It is an added layer of security for your accounts that is based on two-factor authentication (2FA) or multi-factor authentication (MFA). This means that after you have entered your username and password, you are required to enter a particular code that is time-based and short-lived.

TOTP is so named because it uses a standard algorithm to work out a unique and numeric one-time passcode using Greenwich Mean Time (GMT). That is, the passcode is generated from the current time during that period. The codes are also generated from a shared secret or a secret seed passcode provided at user registration with the authentication server, either through QR codes or plaintext.

This passcode is shown to the user, who is expected to use it for a specified time, after which it expires. Users enter the one-time passcode, their username, and regular password into a login form within a limited time. After expiration, the code is not valid anymore and cannot be used on a login form.

TOTPs include a string of dynamic numeric codes, usually between four and six digits, that change every 30 to 60 seconds. The Internet Engineering Task Force (IETF) published TOTP, described in RFC 6238, and uses a standard algorithm to obtain a one-time password.

Members of the Initiative for Open Authentication (OATH) are the brains behind TOTP’s invention. It was sold exclusively under patent, and different authentication vendors have since marketed it following standardization. It is currently widely used by cloud application providers. They are user-friendly and available for offline use, which makes them ideal for use on airplanes or when you don’t have network coverage.

How Does a TOTP Work?

locked programming laptop screen

TOTPs, as the second authorization factor on your apps, provide your accounts with an extra layer of security because you need to provide the one-time numeric passcodes before you’re logged in. They are popularly called “software tokens,” “soft tokens,” and “app-based authentication” and find use in authentication apps like Google Authenticator and Authy.

The way it works is that after you have input your account username and password, you’re prompted to add a valid TOTP code into another login interface as proof that you own the account.

In some models, the TOTP gets to you on your smartphone through an SMS text message. You can also get the codes from an authenticator smartphone application by scanning a QR image. This method is the most widely used, and the codes usually expire after about 30 or 60 seconds. However, some TOTPs can last 120 or 240 seconds.

The passcode is created on your end instead of the server’s using the authenticator application. For this reason, you always have access to your TOTP so that the server doesn’t need to send an SMS whenever you log in.

There are other methods through which you can get your TOTP:

  • Hardware security tokens.
  • Email messages from the server.
  • Voice messages from the server.

Because the TOTP is time-based and expires within seconds, hackers don’t have enough time to anticipate your passcodes. That way, they provide additional security to the weaker username and password authentication system.

Hand Stealing Login Credentials from Unlocked Padlock

For instance, you want to log into your workstation that uses TOTP. You first input your username and password for the account, and the system prompts you for a TOTP. You can then read it from your hardware token or the QR image and type it into the TOTP login field. After the system authenticates the passcode, it logs you into your account.

The TOTP algorithm that generates the passcode requires your device’s time input and your secret seed or key. You don’t need internet connectivity to generate and verify the TOTP, which is why authentication apps can work offline. TOTP is necessary for users who want to use their accounts and need authentication during travel on airplanes or in remote areas where network connectivity isn’t available.

How Is TOTP Authenticated?

The following process provides a simple and brief guide on how the TOTP authentication process works.

When a user wants access to an application like a cloud network application, they are prompted to input the TOTP after entering their username and password. They request that 2FA be enabled, and the TOTP token uses the TOTP algorithm to generate the OTP.

The user enters the token on the request page, and the security system configures its TOTP using the same combination of the current time and the shared secret or key. The system compares the two passcodes; if they match, the user is authenticated and granted access. It’s important to note that most TOTP will authenticate with QR codes and images.

TOTP vs. HMAC-Based One-Time Password

Password Field With Lock Symbol on It
Image Credit: Christiaan Colen / Visualhunt.com

The HMAC-based One-time Password provided the framework on which TOTP was built. Both TOTP and HOTP share similarities, as both systems use a secret key as one of the inputs for generating the passcode. However, while TOTP uses the current time as the other input, HOTP uses a counter.

Furthermore, in terms of security, TOTP is more secure than HOTP because the generated passwords expire after 30 to 60 seconds, after which a new one is generated. In HOTP, the passcode remains valid until you use it. For this reason, many hackers can access HOTPs and use them to carry out successful cyberattacks. Even though HOTP is still used by some authentication services, most popular authenticator apps require TOTP.

What Are the Benefits of Using a TOTP?

TOTPs are beneficial because they provide you with an additional layer of security. The username-password system alone is weak and commonly subjected to Man-in-the-Middle attacks. However, with the TOTP-based 2FA/MFA systems, the hackers don’t have enough time to access your TOTP even if they’ve stolen your traditional password, so they have little opportunity to hack your accounts.

TOTP Authentication Provides Additional Security

Cybercriminals can easily access your username and password and hack your account. However, with the TOTP-based 2FA/MFA systems, you can have a more secure account because TOTPs are time-bound and expire within seconds. Implementing TOTP is clearly worth it.

Leave a Reply
Previous Article
This Is How ‘Hard’ Your Typical Workout Should Be

This Is How ‘Hard’ Your Typical Workout Should Be

Next Article
Top Solana NFT projects DeGods and y00ts to leave the blockchain and 'explore new opportunities' • TechCrunch

Top Solana NFT projects DeGods and y00ts to leave the blockchain and 'explore new opportunities'

Related Posts