The Secret Security Wiki

Categories
Categories

OTP, HOTP and TOTP

What is OTP? And what’s the difference between HOTP and TOTP?

One-time password (OTP) offers a clever and elegant way to authenticate a user. Authentication occurs by way of verifying that the user is in possession of a shared secret, without the user having to communicate the secret itself. To authenticate, the user derives a one-time password from his copy of the shared secret and communicates it to the authentication server together with his username. The server uses the username to look up the shared secret linked to that user’s account and independently derives a one-time password from his copy of the shared secret. If the one-time password generated by the user matches the one generated by the server, then the server knows that the user is in possession of the shared secret and the user is successfully authenticated. 

To generate a one-time password from the shared secret – also referred to as the seed – a special one-way function is used to ensure that the OTP does not reveal anything about the shared secret it was derived from. So if an attacker intercepts the OTP, he cannot learn from it anything about the shared secret used to create it. 

Also, as the name suggests, one-time passwords are good for a single-use, so once used to authenticate the user, it cannot be used again. The next authentication will require deriving a new, different OTP.

OTP can be implemented using different algorithms and deployed on different computing hardware. The two leading algorithms are HOTP and TOTP. Both offer comparable security.

The HMAC-based One-time Password algorithm (HOTP) is a one-time password algorithm that uses hash-based message authentication codes (HMAC). HOTP is a freely available open standard. It was developed by the Initiative for Open Authentication (OATH) and published as an informational IETF RFC 4226 in December 2005. OATH developed and published the algorithm to overcome RSA Security’s grip on the market for OTP authentication with its patented TOTP technology.

In a nutshell, to generate a HOTP, a secret key and a running counter (counting the number of OTPs generated) are fed as input into a one-way cryptographic hash function (e.g. SHA-256) that outputs a hash code which is the OTP. Both the user and the server increment their counter to stay in sync. Since cryptographic hash functions are one-way functions, there is no practical way to back out the secret key from the hash code. 

The Time-based One-time Password algorithm (TOTP) generates a one-time password (OTP) by taking the current time instead of a running counter as its second input. A secret key and the current time are fed as input into a cryptographic hash function that outputs an OTP. The first TOTP authentication system was developed and marketed by RSA Security. TOTP was patented by RSA Security, so they were the only company to sell it. Later on, the Initiative for Open Authentication (OATH) developed its own variant of TOTP which it made freely available.

Because TOTP uses clock time as one of its inputs into the OTP generation algorithm, differences between the time the user generates the OTP and the time the server independently generates its OTP can cause synchronization issues. Therefore, to validate a TOTP the server must test a range of TOTPs generated by a defined window of clock times (e.g., 30 seconds). If it finds a match within this range of TOTPs then the user is successfully authenticated. 

OTP can be deployed on a dedicated hardware token or on a general-purpose computing device such as a mobile phone or laptop. Deployment on general-purpose devices requires special care when storing and using the secret key. Implementation details matter because where the secret key is stored, and how it is protected during use can dramatically impact the security and integrity of the authentication solution. Another critical design consideration when deploying on general-purpose computing devices is the initial registration/enrollment and lost token recovery protocols.

When deploying OTP on a dedicated hardware token device, secret key storage needs to ensure that it is not easy to extract from the device if it falls in the wrong hands. The secret key repository in the factory that manufactures the tokens also needs to be secured. In 2011, RSA Security had a major breach in their manufacturing operation which led to the compromise of the secret keys that go into their TOTP tokens.

On the OTP authentication server, secret keys need to be well protected when stored and used. Oftentimes a hardware security module (HSM) –  a dedicated, highly secured and often certified server – is used for storing the sensitive secret keys and performing OTP generation. HSMs are also commonly used in the manufacturing of OTP tokens. 

OTP technology is generally disliked by users because it requires them to carry around a physical token and perform an extra step during login. And if the token is lost, fallback options can be demanding on users.

Dedicated hardware tokens are also considered expensive from a total cost of ownership (TCO) perspective. They can be expensive to procure and require costly logistics to operate.

When deployed on a mobile device, OTP tokens are dramatically cheaper to operate, as they can be deployed over the air and don’t require any dedicated hardware. 

OTP authentication technology is typically used together with passwords. It strengthens password-based authentication (something the user knows) with a second factor of authentication (something the user has). Using OTP without passwords is risky from a security perspective because if the OTP token falls into the hands of an attacker, there is nothing preventing unauthorized access – the attacker has all the credentials he needs. 

One-time password authentication is generally in decline and being replaced by simpler and cheaper to use biometric and passwordless authentication solutions made widely available by mobile devices.