Monday, October 5, 2020

Time-Based One Time Password

Conventional passwords – however strong the user makes them – have a disadvantage: if somebody else knows the character string, security is no longer guaranteed. One solution would be to change passwords regularly, but even the most exemplary users do not do this every hour. 

The solution is a TOTP.



A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.

Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers.

TOTP is in fact a further development of HOTP, which stands for HMAC-based one-time password. Like HOTP, TOTP is based on the HMAC procedure – the hash operation in the background. Both the user’s device and the server generate a hash value by combining the secret key with a counter. 

The two values are identical, which is how the authentication works.

The hash function itself is not defined; in practice SHA-1 is often used (including by Google Authenticator, for example). SHA-1 generates a 160-bit hash value. For convenience, this value is truncated using a compression function. 

The final result is a short number (six digits for example) which the user can easily use to sign in to the web service.

For the time-based one-time password algorithm, there are three important formulas:

TOTP = HOTP(SecretKey,CurrentTime)

This basic formula simply defines that the TOTP is a HOTP procedure with two parameters – SecretKey and CurrentTime:

SecretKey: Randomly generated password, known to both the server and the client

CurrentTime: Current time in Unix time

However, this time value changes every second, which doesn’t leave the user long enough to enter the generated code. 

In other words, one second later, the TOTP is no longer valid, because the server has already generated a new hash value. A further formula is therefore required:

CurrentTime = floor((unixtime(now) – unixtime(T0))/T1)

The CurrentTime parameter is defined as follows:

unixtime(now): Current time in Unix time

unixtime(T0): Unix time at T0, the point from which the time steps are counted – in most cases midnight on January 1, 1970 (=0)

T1: The period for which the TOTP will be valid (usually 30 seconds)

floor: Rounding function to round the calculated value down to a whole number

No comments:

Post a Comment

ES12 new Features