Time Based One Time Password (TOTP)

Time-based One-Time Password (TOTP) is a single-use passcode typically used for authenticating users. The user is assigned a TOPT generator delivered as a hardware key fob or software token. The generator implements an algorithm that computes a one-time passcode using a secret shared with the authentication server and the current time – hence the name time-based OTP. The passcode is displayed to the user and is valid for a limited duration. Once expired, the passcode is no longer valid. The user enters a valid passcode into a login form, typically together with his username and regular password.

TOPT generator/tokens are commonly used as a second factor of authentication. Users are assigned a hardware token for generating the TOPT or an application that is downloaded and bound to a mobile device or PC.

TOPT was invented by RSA Security and was exclusively sold under patent until the patent expired. Today TOPT authentication solutions have been standardized by OATH and marketed by multiple authentication vendors.

A popular alternative to TOPT has been event-based OTP, also referred to as HMAC-based One-time Password (HOTP)/ HOTP implements an algorithm that computes a one-time password using a secret shared with the authentication server and a counter that is incremented every time an OTP is produced (instead of current time in TOPT). TOPT and HOPT are considered equally secure, though some claim that TOPT offers marginally better security because the passcodes expire after a set duration of time, requiring an attacker to use stolen passcodes in near real-time.

Frequently Asked Questions
What is the difference between TOTP and HOTP?

TOPT and HOTP deliver fundamentally the same outcome – a one-time passcode for authenticating users. They differ in the algorithm used to generate the passcode. TOPT uses a shared secret and the current time to derive the one-time passcode and HOTP uses a shared secret and a counter. Some consider TOPT to be more secure than HOTP because passcode expire and require an attacker to use intercepted passcodes in near real-time.

What is TOTP used for?

TOPT is used for authenticating users. It is typically used in conjunction with a regular password, which means it is used as a second factor of authentication.

What are HMAC-based One-time Passwords?

HMAC-based One-time Password (HOTP) is a popular alternative to TOPT, which implements an algorithm that computes the one-time password using a secret shared with the authentication server and a counter that is incremented every time an OTP is produced (instead of current time in TOPT). HOTP was standardized by OATH to overcome patents that protected the TOPT algorithm. The patents have since expired.

What are TOTP vulnerabilities?

TOTP passcodes can be phished just as passwords can, though because the passcodes are short-lived, they require the attacker to intercept the passcodes and use them in near real-time.

The shared secret used in a TOPT authentication scheme if stolen allows an attacker to generate new, valid TOTP codes at will.

How is HMAC used in TOTP?

Hash-based message authentication code (HMAC) is used in TOPT to combine the shared secret key with the current timestamp to generate a one-time passcode. It essentially applies a cryptographic hash function to the two values to create the passcode.