The most common way for the generation of OTP is the Time Based
One Time Passwords (TOTP)
In these OTP systems, time is the cardinal factor to generate the
unique password
The password generated is created using the current time and a
secret key
• Backend server generates the secret key
• The server shares secret key with the service generating the OTP
• A hash based message authentication code (HMAC) is generated using the SHA-1 algorithm.
☝️After this step
it looks like -
"0215a7d8c15b4
92e
4fc4ela9f6ba"
• A 20 bytes long code
• truncated to required size
• The last character is taken and an OFFSET is determined At This step otp is - 288083
• The counter is started and otp is sent
Understanding TOTP
1. What is TOTP?
TOTP stands for Time-based One-Time Password.
It’s a mechanism used for two-factor authentication (2FA) to enhance security.
Unlike traditional SMS-based OTPs, TOTP generates a unique password that is valid only for a
short period (typically 30 seconds).
2. How TOTP Works:
Secret Key Generation:
The backend server generates a secret key.
This key is shared with the service (e.g., an authentication app) responsible for generating
OTPs.
HMAC Algorithm:
An HMAC (Hash-based Message Authentication Code) is generated using the SHA-1 algorithm.
The HMAC combines the secret key and the current time.
Time Flexibility:
TOTP considers system times from both the authentication server and the token generation
application.
It generates an 8-digit numerical code that changes every 30 seconds.
Each user has a distinct TOTP generated based on their secret key and the current time.
3. Why Use TOTP?
Advantages over SMS-based OTPs:
Independence from Mobile Networks: TOTPs do not rely on mobile network delivery, reducing
vulnerabilities.
Enhanced Security: The short validity window minimizes the risk of interception or replay
attacks.
No Network Delays: TOTPs work even when network connectivity is poor.
Privacy: TOTP is completely private to the user.
Consistent Time Synchronization: TOTP accounts for slight time variations between devices.
Demystifying TOTP: How Time-Based OTPs Enhance Security
Introduction
In the digital age, securing our online accounts is paramount. One powerful tool in this endeavor
is the Time-Based One-Time Password (TOTP). Let’s explore what TOTP is, how it works, and
why it’s gaining popularity.
What is TOTP?
TOTP is a dynamic password generation method that relies on time synchronization. Unlike
traditional SMS-based OTPs, TOTP provides enhanced security and flexibility.
How TOTP Works
Secret Key Generation:
The backend server generates a secret key. This key is securely shared with the user’s authentication app.
HMAC Algorithm:
The app combines the secret key with the current time using the SHA-1 algorithm.
The result is an 8-digit numerical code.
Time Flexibility:
TOTP codes change every 30 seconds.
The system time of both the server and the app ensures accurate synchronization.
Advantages of TOTP
Network Independence:
TOTPs work offline, eliminating reliance on mobile networks.
Short Validity Window:
A TOTP is valid for only 30 seconds, reducing the risk of interception.
Privacy and Security:
Each user has a unique TOTP.
No personal information is transmitted during authentication.
Consistent Time Synchronization:
TOTP accounts for minor time variations across devices.
Conclusion
By understanding TOTP, users can make informed choices about securing their accounts.Whether it’s protecting financial transactions or safeguarding sensitive data, TOTP plays a crucial role in modern cybersecurity.
