What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities). It is used to authenticate users who log on to a server, ensure that software comes from a reputable source, and ensure that the person sending the message is who he says he is.

In the modern digital landscape, cybersecurity is of the utmost importance; thus, using secure, dynamic passwords is crucial. Today, the concept of TOTP is a widely used method for enhancing security with two-factor authentication.

What is a Time-based One-time Password (TOTP)?

TOTP stands for Time-based One-time Password. The TOTP method uses the time as a counter to create a different password for every login attempt. A new password is produced at predetermined intervals, typically 30 seconds. This solves a few problems with conventional passwords, which can be forgotten, stolen, and guessed.

Some of these issues are resolved by OTPs, however, sending them by email or SMS might be hazardous or unreliable (as it creates new attack paths). On the other hand, TOTP creates codes offline, which makes it convenient and safe. All you need is an authenticator app on your phone (or hardware token) to get started; Internet access is not needed.

How TOTP Differs from Other One-Time Passwords

There are several differences between OTP and TOTP. OTP is valid for one session or transaction and sent via email or SMS (for a single authentication). It is easy to use but prone to interceptions or delays. TOTP, on the other hand, generates passwords by using a counter (the time) and a shared secret key, and it doesn’t rely on external communication.

However, TOTP requires time synchronization between the server and the authentication device. It utilizes advanced cryptographic algorithms in generating one-time passwords, as explained below.

How Does TOTP Work?

For easier understanding – we will break down the TOTP process into 4 steps:

1. Shared secret key - a distinct, random string of characters created when TOTP is activated. This key is usually generated by the server and securely shared with the client. Usually, the user uses an authenticator app to scan a QR code that contains the key. The secret key is encrypted on the server to guard against unwanted access. The length and randomness of the key should be large to prevent attacks - minimum length of 128 bits (16 characters).
2. Current time - To ensure the generated codes are in sync, the server and client use the current time, divided into intervals (e.g., 30 seconds).
3. HMAC Algorithm—HMAC uses a secret key and a cryptographic hash function to generate a message authentication code. The HMAC algorithm generates a hash value by combining the shared secret key with the current time. Without the secret key, an attacker is unable to generate the hash, even if he intercepts the communication. SHA-1 is the standard for TOTP, while SHA-256, SHA-512, and SHA-1 are HMAC hash algorithms.
4. Password generation—The one-time password is then created using the generated hash. A part of the hash is removed and transformed into the TOTP, which is a numerical code. Due to its frequent changes, this code offers an extra degree of protection as it is only valid for the present time interval. The TOTP is normally 6 to 8 digits long, which makes it simple for people to manually enter while maintaining security.

Where is TOTP Commonly Used?

Today, TOTP is widely implemented in different sectors and industries. Below we will list applications and platforms already using TOTP (e.g., online banking, email services, cloud storage).

TOTP in Two-Factor Authentication (2FA)

It’s no longer considered secure to rely only on a username and password to protect your online accounts. To protect yourself – you should activate a two-factor authentication (2FA). By utilizing your external device to prove your identity, you’ll prevent anyone from using your data.

TOTP is implemented in popular 2FA systems (e.g., Google Authenticator, Authy). Before granting the end-user access to a system, 2FAs demand credentials other than a password. A 2FA that uses SMS will text you with a numeric string that you must enter to gain access. That kind of code is TOTP.

For added security, TOPT is also integrated into apps, websites, and services. Independent developers and companies make this integration themselves. The 2FA login plugin is implemented as API, or REST, using an SDK, e.g., Codeless. It utilizes frontend languages like Android, JavaScript, .NET, Objective-C, Swift, etc.

TOTP in Corporate Environments

There are multiple benefits of implementing TOTP in enterprise security strategies. Use cases of TOTP in securing corporate accounts and data access include:

• Online banking—To log into your online banking account (beyond username and password), you are asked to conduct 2FA by entering a code obtained via SMS. That code is a TOTP passcode generated by an algorithm that uses the current time.
• Cloud storage—A similar 2FA is often required in Google Cloud and Microsoft Azure, which implement Google or Microsoft Authenticator, respectively.
• Corporate email services: Instead of plain username-password login methods, companies are starting to introduce more secure email-based TOTP login methods. This dynamic login with a passcode drastically lowers the possibility of unwanted access, giving their clients a safer online experience.

Security Advantages of TOTP

TOTP offers multiple security benefits:

Dynamic and Time-Sensitive

TOTP is considered a more secure method than static passwords since it uses the current time as a source of the unique one-time code. The code is encrypted to protect against unwanted access, and its length and randomness are sufficient to prevent brute-force attacks.

Resistance to Replay Attacks

TOTP adds an extra security layer to your online accounts, making it more difficult for hackers to access them. The codes are more difficult to intercept since they are created uniquely and are not transmitted across a network. TOTP's time-based nature prevents attackers from reusing previously captured passwords.

User Convenience and Security Balance

TOTP is quite convenient because its codes are generated locally on your mobile device. Network or Internet access is not required. On the other hand, TOTP provides a high-security level while using an open-source algorithm with no deployment costs.

Potential Challenges and Limitations

However, some TOTP issues include time synchronization, device loss, and user error. There are also limitations due to the reliance on a single device (e.g., phone) for generating codes and potential usability concerns for non-technical users. Users should consider the need for backup and recovery options.

Time Synchronization Issues

TOTP codes must be synchronized between the user's device and the authentication server. When the codes produced by the user's device and the server don't match, out-of-sync TOTP tokens happen, which causes login errors and annoyance for the user.

The reasons for lost synchronization include clock drifts, network latency, and device changes (if the user switches or resets the devices). To overcome this issue, the time window when the TOTP token is valid should be extended, while clock discrepancies and network latency should be low. This would balance security and ease of use.

Dependency on Device Security

The secret key is kept on both the user's device and the server, which is the main drawback of TOTP. In case either of these systems is compromised, a hostile actor could create codes and gain unrestricted access to the user's account.

User Adoption and Understanding

A challenge of using TOTP is user education and adoption, especially for non-tech-savvy users. Adopting TOTP smoothly benefits the entire company. Users should be educated on the benefits of using TOTP and how to receive and enter the TOTP codes when authenticating to your system.

How To Set Up TOTP for Your Accounts

Here is a step-by-step guide to setting up TOTP on common platforms (e.g., Google, Facebook, banking apps).

Choosing a TOTP App

To select a proper TOTP app (e.g., Google Authenticator, Authy), you should consider a mobile app that is well-known and widely trusted for Android and iPhone, which adds an extra security level to the login process.

Both Google Authenticator and Authy reduce the dangers associated with sole password-based authentication - by ensuring that only authorized users with physical access to a registered smartphone can log in.

Step-by-Step Setup

One or more applications can have the TOTP authentication service enabled. When you log in for the first time, TOTP asks you to register a device for the 2-factor authentication. This is how you can register a device to log into your System with TOTP:

1.  On your mobile device, install the Google Authenticator app.

2. Use your business login credentials on the computer to access the System (application). If the credentials are legitimate – the System will ask you to register a device for one-time passwords.

3. Link your System account to the mobile device:

• TOTP generates a secret key for you that's shown in the web browser in both text and QR code forms.
• On the mobile device - launch Google Authenticator and add your System account.
• In Google Authenticator - manually enter the security key, or scan the QR code from the browser.

4.  Google Authenticator generates a 6-digit TOTP code and you should enter this code in the System authentication code field.

5. The device registration procedure is not finished until you submit the TOTP code and the server confirms it.

Testing and Backup

Before its usage in production – it is recommended to test TOTP functionality. Creating backup codes for account recovery is important. In case the end user loses his 2-factor device, he can restore his account using backup codes. To implement this backup option you can utilize SDKs.

The user ID will be linked to this backup code in his user metadata JSON. When the user wants to use his backup code, the system provides a user interface (UI) where he may enter it. This prompts an API to validate the backup code and adds a flag to the user's session indicating that the backup code was entered correctly.

TOTP is a simple yet effective tool for protecting online identities and sensitive information. One way to improve your authentication systems is to start using TOTP. By using one-of-a-kind, time-based codes, you solve password and one-time password problems and improve authentication security overall.

In modern cybersecurity – the usage of TOTP is highly recommended. To enhance the security of your online systems – you must consider enabling TOTP for your accounts.