The Secret Security Wiki

Categories
Categories

Time Based One Time Password

Time-based One-Time Password (TOTP) is a single-use passcode typically used for authenticating users. The user is assigned a TOPT generator delivered as a hardware key fob or software token. The generator implements an algorithm that computes a one-time passcode using a secret shared with the authentication server and the current time – hence the name time-based OTP. The passcode is displayed to the user and is valid for a limited duration. Once expired, the passcode is no longer valid. The user enters a valid passcode into a login form, typically together with his username and regular password.

TOPT generator/tokens are commonly used as a second factor of authentication. Users are assigned a hardware token for generating the TOPT or an application that is downloaded and bound to a mobile device or PC.

TOPT was invented by RSA Security and was exclusively sold under patent until the patent expired. Today TOPT authentication solutions have been standardized by OATH and marketed by multiple authentication vendors.

A popular alternative to TOPT has been event-based OTP, also referred to as HMAC-based One-time Password (HOTP)/ HOTP implements an algorithm that computes a one-time password using a secret shared with the authentication server and a counter that is incremented every time an OTP is produced (instead of current time in TOPT). TOPT and HOPT are considered equally secure, though some claim that TOPT offers marginally better security because the passcodes expire after a set duration of time, requiring an attacker to use stolen passcodes in near real-time.