Conventional passwords – however strong the user makes them – have a disadvantage: if somebody else knows the character string, security is no longer guaranteed. One solution would be to change passwords regularly, but even the most exemplary users do not do this every hour.
The solution is a TOTP.
Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers.
TOTP is in fact a further development of HOTP, which stands for HMAC-based one-time password. Like HOTP, TOTP is based on the HMAC procedure – the hash operation in the background. Both the user’s device and the server generate a hash value by combining the secret key with a counter.
The two values are identical, which is how the authentication works.
The hash function itself is not defined; in practice SHA-1 is often used (including by Google Authenticator, for example). SHA-1 generates a 160-bit hash value. For convenience, this value is truncated using a compression function.
The final result is a short number (six digits for example) which the user can easily use to sign in to the web service.
For the time-based one-time password algorithm, there are three important formulas:
TOTP = HOTP(SecretKey,CurrentTime)
This basic formula simply defines that the TOTP is a HOTP procedure with two parameters – SecretKey and CurrentTime:
SecretKey: Randomly generated password, known to both the server and the client
CurrentTime: Current time in Unix time
However, this time value changes every second, which doesn’t leave the user long enough to enter the generated code.
In other words, one second later, the TOTP is no longer valid, because the server has already generated a new hash value. A further formula is therefore required:
CurrentTime = floor((unixtime(now) – unixtime(T0))/T1)
The CurrentTime parameter is defined as follows:
unixtime(now): Current time in Unix time
unixtime(T0): Unix time at T0, the point from which the time steps are counted – in most cases midnight on January 1, 1970 (=0)
T1: The period for which the TOTP will be valid (usually 30 seconds)
floor: Rounding function to round the calculated value down to a whole number
No comments:
Post a Comment