Time-based One-time Password Algorithm
The Time-based One-Time Password algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet Engineering Task Force is the cornerstone of Initiative For Open Authentication (OATH), and is used in a number of two-factor authentication systems.
TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. Because network latency and out-of-sync clocks can result in the password recipient having to try a range of possible times to authenticate against, the timestamp typically increases in 30-second intervals, which thus cuts the potential search space.
In a typical two-factor authentication application, user authentication proceeds as follows: a user enters username and password into a website or other server, generates a one-time password for the server using TOTP running locally on a smartphone or other device, and types that password into the server as well. The server then also runs TOTP to verify the entered one-time password. For this to work, the clocks of the user's device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 time interval from the client's timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user's device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP.
TOTP is based on HOTP with a timestamp replacing the incrementing counter.
The current timestamp is turned into an integer time-counter (TC) by defining the start of an epoch (T0) and counting in units of a time step (TS). For example:
- TC = floor((unixtime(now) − unixtime(T0)) / TS),
- TOTP = HOTP(SecretKey, TC),
- TOTP-Value = TOTP mod 10d, where d is the desired number of digits of the one-time password.
According to RFC 6238, the reference implementation is as follows:
- Generate a key, K, which is an arbitrary byte string, and share it securely with the client.
- Agree upon a T0, the Unix time to start counting time steps from, and an interval, TI, which will be used to calculate the value of the counter C (defaults are the Unix epoch as T0 and 30 seconds as TI)
- Agree upon a cryptographic hash method (default is SHA-1)
- Agree upon a token length, N (default is 6)
Although RFC 6238 allows different parameters to be used, the Google implementation of the authenticator app does not support T0, TI values, hash methods and token lengths different from the default. It also expects the K secret key to be entered (or supplied in a QR code) in base-32 encoding according to RFC 3548.
Once the parameters are agreed upon, token generation is as follows:
- Calculate C as the number of times TI has elapsed after T0.
- Compute the HMAC hash H with C as the message and K as the key (the HMAC algorithm is defined in the previous section, but also most cryptographical libraries support it). K should be passed as it is, C should be passed as a raw 64-bit unsigned integer.
- Take the least 4 significant bits of H and use it as an offset, O.
- Take 4 bytes from H starting at O bytes MSB, discard the most significant bit and store the rest as an (unsigned) 32-bit integer, I.
- The token is the lowest N digits of I in base 10. If the result has fewer digits than N, pad it with zeroes from the left.
Both the server and the client compute the token, then the server checks if the token supplied by the client matches the locally generated token. Some servers allow codes that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.
Weaknesses and vulnerabilities
TOTP codes can be phished just as passwords can, though they require phishers to proxy the credentials in real time rather than collect them later on in time.
Implementations that don't limit login attempts are vulnerable to brute forcing of codes.
An attacker who steals the shared secret can generate new, valid TOTP codes at will. This can be a particular problem if the attacker breaches a large authentication database.
Because TOTP devices have batteries that go flat, clocks that can de-sync, and because software versions are on phones that users can lose or have stolen, all real-world implementations have methods to bypass the protection (e.g.: printed codes, email-resets, etc.), which can cause a considerable support burden for large user-bases, and also gives fraudulent users additional vectors to exploit.
TOTP codes are valid for longer than the amount of time they show on the screen (usually two or more times longer). This is a concession that the authenticating and authenticated sides' clocks can be skewed by a large margin.
All One Time Password-based authentication schemes (TOTP and HOTP included, among others) are still vulnerable to session hijacking, i.e., commandeering a user's session after they have logged in.
A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF. In May, 2011, TOTP officially became RFC 6238. |- |Salesforce.com |Account access, Step-up authentication |- |Authy |Account access, Step-up authentication |- |ServiceNow | |- |Google |Google Authenticator |- |Facebook |Login Approval, Code Generator |- |Amazon |Amazon Web Services |- |Bitbucket |Account access |- |Dropbox |Account access |- |Evernote |Account access |- |Gandi |Account access |- |Zoho |Account access |- |GitHub |Account access |- |Hiveage |Account access |- |LastPass |Account access |- |Linode |Account access |- |Wordpress.com |Account access |- |Hover |Account access |- |LinOTP | |- |OpenAM |Java based single sign-on |- |ownCloud |Account Access |- |Nextcloud |TOTP two-factor authentication |- |multiOTP |Tooling, web site integration, web service, radius plugin |- |privacyIDEA |Authentication backend |- |- |Token2 |Token2 TOTPRadius - a RADIUS server designed for two-factor authentication |- |XenForo | |- |Symantec |VIP Access |- |HashiCorp |Vault |- |Yandex |Account access |- |}
|Company||Product / Part|
|Google Authenticator||Developed by Google and published in Playstore and AppStore|
|Microsoft Authenticator||Developed by Microsoft, has capability to generate a 8 character token for Microsoft sites and 6 character for others|
|FreeOTP||FreeOTP has been developed from Google Authenticator and maintained by RedHat|