A time-based one-time password (TOTP) is a type of one-time password that uses the current time as a source of uniqueness. It is a temporary passcode, generated by an algorithm, that uses the current time of day as one of its factors for authentication.
This method is commonly used for two-factor authentication (2FA) to provide an additional layer of security. TOTPs are usually enabled via authentication apps and the generated passwords are only valid for a certain period of time, usually 30 to 60 seconds.
How time-based one-time passwords work
Time-based one-time passwords use the current time and a shared secret to generate a unique password. The TOTP algorithm is technically a variation of the HMAC-Based One-Time Password (HOTP) algorithm, where the counter is replaced with the current time value.
The process involves a hash function that takes an arbitrary length input and produces a short, fixed-length string of characters. The robustness of a hash function is that you cannot reproduce the original parameters that went into it if you only have the output.
It’s noteworthy that TOTPs are more secure than HOTPs. In TOTP, a new password is generated every 30 seconds while in HOTP, a new password is generated only after it has been used. A one-time password in HOTP can stay valid until it’s used to authenticate, providing plenty of time for potential hackers to carry out an attack.
TOTPs can be delivered through various methods such as hardware security tokens, mobile authenticator apps, text messages, email or voice messages from a centralized server. After receiving the code, the user inputs it to verify their identity.
Strengths of time-based one-time passwords
Time-based one-time passwords are more secure and are not easily compromised. They are efficient in preventing unauthorized access because they are valid only for a short duration. Even if someone intercepts the password, they won’t be able to use it after the limited time window expires.
Furthermore, every TOTP is unique, reducing duplication risks. TOTPs boost safety in multi-factor authentication systems, making it harder for cybercriminals to breach accounts even if they have the user’s basic login details.
Moreover, TOTPs encourage users to authenticate their operations swiftly, increasing operational efficiency.
Weaknesses of time-based one-time passwords
Time-based one-time passwords do have a few weaknesses. Firstly, users need to enter passwords into an authentication page, which can increase the potential for phishing attacks. Attackers could mimic these sites and trick users into revealing their one-time passwords.
Secondly, TOTP relies on a shared secret known by both the client and the server. This creates more places from where the secret can be potentially stolen. If an attacker gains access to this shared secret, they could generate new valid TOTP codes at will, which can be particularly dangerous if a large authentication database is breached.
Lastly, the TOTP algorithm depends on precise time synchronization between the token generator (usually a hardware device or software application) and the server. Drift in the time settings can lead to the generated OTP not matching the OTP the server expects, making it useless. This is a huge problem for offline, hardware-based tokens, and even though there are various methods to account for this drift, they cannot entirely prevent it from happening.
The time-sensitive nature of TOTPs can also be a drawback. If a user does not immediately enter the TOTP, it can expire, so servers must account for this delay in their design to prevent user frustration from repeated lock-outs.
OTP vs. TOTP vs. HOTP
OTP, TOTP, and HOTP are all types of one-time passwords used for authentication, but they are generated differently.
One-time password (OTP)
A one-time password is a password that is valid for only one login session or transaction. Once it is used, it is no longer valid for future use. They are often used as an additional layer of security on top of a standard password.
HMAC-Based One-Time Password (HOTP)
HOTP is an algorithm that creates a one-time password using a Hash-Based Message Authentication Code (HMAC). The password changes each time it’s requested, based on a counter that increments each time a new OTP is generated. The OTP is valid until a new one is requested and validated on the server.
Time-Based One-Time Password (TOTP )
TOTP is another algorithm that generates a one-time password, but instead of the changing factor being a counter like with HOTP, the changing factor is time. The password remains valid for a specific “time step,” generally 30 or 60 seconds, and then a new password must be generated.
HOTP vs. TOTP
The primary difference between HOTP and TOTP is the variable element in the OTP generation — for HOTP, it’s a counter, and for TOTP, it’s time.
Both TOTP and HOTP aim to provide stronger security than a conventional OTP, with TOTP often being considered more secure because the passwords have a limited lifespan.