What Is a Time-Based One-Time Password (TOTP)?

Modern identity management relies on multi-factor authentication to maintain account security above and beyond simple passwords. One-Time Passwords (OTPs) are a vital part of this effort.

What are Time-Based OTPs? TOPTs are one-time passwords that use synced clocks to generate and cycle through authentication tokens for added system security.

What Is a One-Time Password?

A One-Time Password (OTP) is a form of authentication in which the authentication system generates pseudo-randomized tokens, or strings of alphanumeric characters, to verify user identity. A common form of multi-factor authentication (MFA), one-time passwords fill the role of “ownership,” or proof that the user has access to a particular device or delivery method.

In an OTP scheme, the authentication system generates a secure one-time authentication token, often in the form of a string of numbers, to which the user has access. This token is unique to the transaction at hand and will only be known through the ownership of the delivery mechanism of the password (which can be both hardware- and software-based).

OTPs provide users with a secure form of MFA because they are generally easy to disseminate and use as a second authentication factor. Currently, several common forms of OTP delivery exist in enterprise and consumer markets.

These forms of token delivery include:

  • Email/SMS: By far, the most common OTP method is the delivery of a token via SMS text or email. The authentication system uses the user’s credentials to send an OTP to one of these services, requiring the user to input the OTP once received. This approach is generally more secure than single-factor authentication, with the caveat that it is useless should users have access to their devices or email stolen.
  • Hardware Tokens: Some strict security schemes require users to have physical tokens. These devices may resemble a badge, keychain fob, or USB key and generate keys synced to the conditions of the authentication server. However, they do not require Internet access and can only be compromised if the device is lost or stolen.
  • Software Authenticators: A common alternative to hardware keys are software authenticators that generate tokens. Common mobile apps like Microsoft Authenticator or Google Authenticator provide added security by eliminating the need to send OTPs across SMS or email.
  • Push Authentication: Modern OTP systems can use push notifications on a mobile phone to send a one-time password or even bypass the need for an OTP entirely.

With all the possible ways to send an OTP, it’s still critical that these passwords are random and secure–if a hacker could guess an OTP, they are next to worthless. To avoid that issue, there are several ways that OTPs are generated:

  • Hash-Based: Hash-Based OTPs (HTOPs) are generated using a hashing function that often includes a secret key and a “moving factor” to create pseudo random tokens. This moving factor is pulled from the environment to make guessing OTPs or their generation mechanisms impossible.

    Generally, general HTOPs can draw from information gathered during an initial transaction (i.e., the initial password-based authentication in an MFA verification request). Additionally, some hash-based systems will utilize “hash chains,” or sequences of OTPs based on the values of previous one-time passwords.

  • Challenge-Response: Challenge-response systems will use user input as a moving factor in OTP generation. This moving factor could be the password the user provides or the answer to a specific security question.
  • Time-Based: Time-Based OTPs (TOTPs) use system time and other factors to create and cycle through one-time passwords for additional security.

How Do Time-Based One-Time Passwords Work?

Time-Based OTPs are those created using a synchronized timestamp as a moving step to seed a random key. This moving step is used to regenerate a new OTP once per interval, so the actual OTP required for multi-factor authentication changes each interval.

The result is a continuing cycle of OTPs that don’t rely on a specific input to generate. This generation cycle can continue unimpeded such that, at any given time, a user may access a pseudorandom OTP for MFA purposes.

The fluid nature of TOTPs provides several significant security benefits to enterprises and users by protecting against specific attacks, namely:

  • Brute-Force Password Attacks: Brute-force attacks are those that involve, as the name suggests, hammering authentication systems with password lists (usually dictionaries or lists of common or default passwords).

    This is a general feature of most MFA systems, but OTPs circumvent even the possibility of password guessing by requiring access to a service account or device.

  • Phishing: Phishing attacks count on users giving up passwords via email or SMS so that hackers can gain access to important accounts. OTPs mitigate this possibility by requiring that hackers also have access to an OTP to authenticate.
    In the case of TOTPs, this challenge is amplified by the fact that the hacker would need to own either the token-generation device or an end-user’s token authenticator (such as a software app) at the exact moment of verification to get the right token.
  • Replay Attacks: Replay attacks are when a third party intercepts credentials and attempts to insert them into an authentication process to spoof their identity, usually soon after the original transaction. Because TOTPs require time-sensitive tokens, there’s no way to spoof credentials in a time-sensitive way accurately.

While TOTPs prevent several attacks, they are still vulnerable if a token generator (hardware or software) is stolen. For example, if the user has an OTP application on their phone and the phone is stolen, then the benefits of TOTPs are largely irrelevant.

What Are the Benefits of TOTP?

TOTP, and MFA writ large, provide significant business and security advantages over single-factor authentication. Additionally, a TOTP system can address significant issues with authentication security–namely, implementation, onboarding, and adoption.

These benefits include:

  • Cost Reduction: OTP systems generally are common and relatively easy to implement. Using TOTPs involves very little investment above and beyond typical MFA systems. Finally, even third-party authentication and identity providers can offer robust MFA and OTP support for a straightforward monthly fee. All of these factors combine to reduce costs (in terms of both time and money) for advanced security.
  • User Friendly: OTP systems integrate well with mobile and networked technologies. Software TOTPs are readily available for tablets and smartphones, so your employees can easily install and use the technology without changing their normal computing habits. This reduces the complexity of onboarding or adoption–often serious issues in adopting proper security methods.
  • Scalable: OTPs, and TOTPs, are easy to scale. You only need an authentication server and delivery methods (apps, hardware tokens, etc.) to distribute. That’s it.
  • Secure: TOTPs provide a critical layer of time-sensitive security that can thwart some of the most common and challenging threats facing enterprises today, specifically phishing and other social engineering attacks.

Trust 1Kosmos Authenticators in Your Identity Verification System

Identity management has gone almost entirely unchanged for 60 years. Even new forms of authentication have relied on slowly-evolving technologies that need to catch up with the times.

1Kosmos changes the authentication landscape by combining MFA (including using time-based OTPs) with passwordless authentication and decentralized identity management. The result? Ultra-secure enterprise systems that also reduce user roadblocks for adoption with intuitive UX design for quick and easy onboarding.

With 1Kosmos BlockID, you get the following benefits:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Learn more about 1Kosmos Authenticators with our documentation.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.