What is a time-based one-time password (TOTP)? Should I use it?

Time-based one-time password (TOTP) is the standard one-time password computing algorithm. They extend on one-time passwords in the form of hash-based message authentication codes (HMAC-based One-time Password, HOTP for short).

TOTP can be used in place of or as an additional factor in addition to traditional, long-standing two-factor authentication solutions, such as SMS messages or physical hardware tokens that can easily be compromised. stolen or forgotten. So what exactly is a Time-based one-time password (TOTP)? How do they work?

What is TOTP?

TOTP is a temporary, one-time-use cryptography generated in accordance with the current time by an algorithm to authenticate the user. This is an extra layer of security for accounts based on two-factor authentication (2FA) or multi-factor authentication (MFA). This means that after entering your username and password, you are asked to enter a specific, time-based and short-lived code.

TOTP is so named because it uses a standard algorithm to figure out a one-time and numerical passcode using Greenwich Mean Time (GMT). I.e. the cipher is generated from the current time in that time period. These codes are also generated from the shared secret password or secret seed password provided when the user registers with the authentication server, via QR code or plaintext.

This passcode is shown to the user, who is expected to use it for a certain period of time, after which it expires. Users enter a one-time passcode, regular username and password into the limited-time login form. Once expired, the code is no longer valid and cannot be used on the login form.

TOTP consists of a dynamic sequence of codes, typically 4 to 6 digits, that change every 30 to 60 seconds. The Internet Engineering Task Force (IETF) published TOTP, which is described in RFC 6238 and uses a standard algorithm for obtaining one-time passwords.

Members of Open Authentication (OATH) are the brains behind the invention of TOTP. It was sold exclusively under patent, and since then, other authentication vendors have marketed it as standardized. It is currently widely used by cloud application providers. They are user-friendly and available for offline use, which makes them ideal for use on airplanes or out of coverage areas.

How does TOTP work?

TOTP, as the second authorization factor on the app, gives your account an extra layer of security because you need to provide a one-time numeric password before you can log in. They are often referred to as 'software tokens', 'soft tokens' or 'app-based authentication' and are used in authenticator applications such as Google Authenticator and Authy.

The way it works is that after you enter your account username and password, you will be prompted to add a valid TOTP code to another login interface as proof that you own the account.

In terms of form, TOTP usually comes to your smartphone via SMS text message. You can also get the code from the authenticator app on your smartphone by scanning the QR image. This method is the most widely used and the code usually expires after about 30 or 60 seconds. However, some TOTPs can last 120 or 240 seconds.

The passcode is generated on your side instead of the server using the authentication application. For this reason, you always have access to your TOTP so the server doesn't need to send SMS whenever you log in.

There are other methods by which you can get TOTP like:

1. Hardware security tokens.
2. Email from the server.
3. Voice messages from the server.

Since TOTP is time-based and expires in seconds, hackers don't have enough time to guess your passcode. By doing so, this solution provides an additional layer of security over the weaker username and password authentication system.

For example, you want to login to a workstation using TOTP. You first enter the username and password for the account and the system prompts you to enter the TOTP. You can then read it from the hardware token or QR image and enter that in the TOTP login field. After the system authenticates the passcode, you will be able to log you into your account.

The TOTP algorithm generates a password that requires input from your device time and your seed or secret key. You don't need an Internet connection to generate and verify TOTP, that's why authenticator apps can work offline. TOTP is necessary for users who want to use their account and need to authenticate while traveling on an airplane or in remote areas with no network connection.

How is TOTP authenticated?

The following information provides a simple and concise guide to how TOTP authentication works.

When the user wants to access an application such as a cloud network application, they will be prompted to enter the TOTP after entering the username and password. They are required to enable 2FA and the TOTP token uses the TOTP algorithm to generate the OTP.

The user enters the token on the request page and the security system configures its TOTP using the same combination of the current time and the shared key or seed. The system compares two passwords; if they match, the user is authenticated and granted access. It is important to note that most TOTP will authenticate with a QR code and image.

How is TOTP different from HOTP?

HOTP has provided the framework on which TOTP is built. Both TOTP and HOTP have similarities, as both systems use the secret key as one of the inputs to generate the cipher. However, while TOTP uses the current time as another input, HOTP uses a counter.

Furthermore, in terms of security, TOTP is more secure than HOTP because the generated password will expire after 30 to 60 seconds, after which a new password will be generated. In HOTP, the passcode remains valid until you use it. For this reason, many hackers can access HOTPs and use them to carry out successful cyber attacks. Although HOTP is still used by some authentication services, most popular authentication applications require TOTP.

What are the benefits of using TOTP?

TOTPs are beneficial because they give you an extra layer of security. The username-password system alone is very weak and often the subject of Man-in-the-Middle attacks. However, with TOTP-based 2FA/MFA systems, hackers don't have enough time to access your TOTP even if they have stolen your traditional password, so they have little chance to hack your account.

TOTP Authentication provides additional security

Cybercriminals can easily access your username and password and hack your account. However, with TOTP-based 2FA/MFA systems, you can have a more secure account as the TOTP expires in seconds. Applying TOTP is clearly necessary.