{"id":6696,"date":"2020-06-24T11:04:00","date_gmt":"2020-06-24T08:04:00","guid":{"rendered":"https:\/\/www.protectimus.com\/blog\/?p=6696"},"modified":"2020-06-25T16:57:22","modified_gmt":"2020-06-25T13:57:22","slug":"totp-algorithm-explained","status":"publish","type":"post","link":"https:\/\/www.protectimus.com\/blog\/totp-algorithm-explained\/","title":{"rendered":"TOTP Algorithm Explained"},"content":{"rendered":"\n<p>Time-based one-time password algorithm (TOTP) is the focus of this post. But, before we delve deeper into the TOTP meaning, we&#8217;d like to mention the organization that is instrumental in the one-time password algorithms&#8217; existence \u2014 OATH, or <a href=\"https:\/\/openauthentication.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Open AuTHentication<\/a>. OATH is a collaboration of all sorts of specialists, who made their mission to create a truly secure and universal network for all to use. We at Protectimus are proud to be a part of this collaborative effort.<\/p>\n\n\n\n<p>In this article, we will learn what OATH TOTP is. We will have a closer look at TOTP algorithm implementation and the work of the TOTP mode. Finally, we will provide a full list of Protectimus TOTP tokens designed for time based token authentication to help you choose the one that suits you best.<\/p>\n\n\n\n<p><\/p>\n\n\n<div class=\"wp-block-button aligncenter\"><a class=\"wp-block-button__link has-background\" style=\"background-color: #269400;\" href=\"https:\/\/www.protectimus.com\/tokens\/?ref=TOTP-algorithm-article\" target=\"_blank\" rel=\"noreferrer noopener\">Order programmable and classic TOTP tokens here<\/a><\/div>\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Table of contents:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"#What is TOTP\">What is TOTP<\/a><\/li><li><a href=\"#TOTP background \u2014 HOTP\">TOTP background \u2014 HOTP<\/a><\/li><li><a href=\"#TOTP vs HOTP\">TOTP vs HOTP<\/a><\/li><li><a href=\"#TOTP synchronization problem\">TOTP synchronization problem<\/a><\/li><li><a href=\"#Protectimus TOTP tokens\">Protectimus TOTP tokens<\/a><\/li><\/ul>\n\n\n\n<p><a name=\"What is TOTP\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is TOTP algorithm<\/strong><\/h2>\n\n\n\n<p>We\u2019ve already answered the \u201cwhat does TOTP mean?\u201d question above. But what is TOTP authentication? An uncomplicated answer is \u2014 it\u2019s a 2-factor verification method that uses the time as a variable. Let\u2019s expand on this a bit and unravel how TOTP authentication actually operates.<\/p>\n\n\n\n<p>TOTP algorithm (<a rel=\"noreferrer noopener\" href=\"https:\/\/tools.ietf.org\/html\/rfc6238\" target=\"_blank\">RFC 6238<\/a>) implies that an OTP is a product of two parameters encrypted together. These are a common value, which is a shared secret key, or seed; and a variable, in this case &#8211; the running time. These parameters are encrypted with a hash function.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"650\" height=\"280\" src=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorythm-explained.jpg\" alt=\"TOTP algorithm\" class=\"wp-image-6670\" srcset=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorythm-explained.jpg 650w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorythm-explained-300x129.jpg 300w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorythm-explained-610x263.jpg 610w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Here&#8217;s a TOTP algorithm example to illustrate:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>A user wants to log into a TOTP 2FA protected application or website. For the OTP authentication to run, the user and the TOTP server need to initially share a static parameter (a secret key).<\/li><li>When the client logs into the protected website, they have to confirm they possess the secret key. So their TOTP token merges the seed and the current timestep and generates a HASH value by running a predetermined HASH function. This value essentially is the OTP code the user sees on the token.<\/li><li>Since the secret key, the HASH function, and the timestep are the same for both parties, the server makes the same computation as the user\u2019s OTP generator.<\/li><li>The user enters the OTP and if it is identical to the server\u2019s value, the access is granted. If the results of the calculations aren&#8217;t identical, the access is, naturally, denied.<\/li><\/ol>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"895\" height=\"648\" src=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorithm-explained.png\" alt=\"TOTP authentication explained\" class=\"wp-image-6712\" srcset=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorithm-explained.png 895w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorithm-explained-300x217.png 300w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorithm-explained-768x556.png 768w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorithm-explained-610x442.png 610w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/TOTP-algorithm-explained-287x208.png 287w\" sizes=\"auto, (max-width: 895px) 100vw, 895px\" \/><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>To explain the above example a bit let\u2019s note here that the mentioned seed is a string of random characters, usually 16\u201332 characters long. \u201cSharing\u201d the key usually implies scanning a QR code that shows the seed generated by the server with the client&#8217;s TOTP app. Alternatively, the key is already programmed in their TOTP device. The timestep is calculated using UNIX time, which starts on January 1, 1970, UTC. The timesteps are to be 30 or 60 seconds, so the time value used for TOTP is the number of seconds run since 00:00 January 1, 1970, divided by 30, or 60. Finally, the mentioned HASH function is a cryptographic mathematic function that simply changes one value into another and usually shortens the result to 6-8 symbols. This result is what we called a HASH value above.<\/p>\n\n\n\n<p>All of this is specified in <a rel=\"noreferrer noopener\" href=\"https:\/\/tools.ietf.org\/html\/rfc6238\" target=\"_blank\">TOTP RFC<\/a>.<\/p>\n\n\n\n<p><a name=\"TOTP background \u2014 HOTP\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>TOTP algorithm background \u2014 HOTP<\/strong><\/h2>\n\n\n\n<p>OATH has been actively working on secure 2FA since 2004. The first algorithm that the organization created is HOTP \u2014 HMAC-based One-time Password, presented in 2005. This method uses a counter as a variable and a seed as a shared value to create OTP.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"650\" height=\"280\" src=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/03\/HOTP-algorithm.jpg\" alt=\"HOTP algorithm explained\" class=\"wp-image-6134\" srcset=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/03\/HOTP-algorithm.jpg 650w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/03\/HOTP-algorithm-300x129.jpg 300w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/03\/HOTP-algorithm-610x263.jpg 610w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>The creation of a one time password is the event for the counter in HOTP, so each new password increases the counter by 1. We\u2019ve described this algorithm in every detail in <a href=\"https:\/\/www.protectimus.com\/blog\/hotp-algorithm\/\">this article<\/a>.<\/p>\n\n\n\n<p>The counter-based method has a number of flaws, we\u2019ll touch upon them next. So in 2008 OATH presented TOTP as an expansion of the parent algorithm, the next step of the MFA evolution.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><span style=\"color: #ff0000;\">| Read also:<\/span> <a href=\"https:\/\/www.protectimus.com\/blog\/ocra-algorithm-explained\/\">OCRA Algorithm Explained<\/a><\/p>\n\n\n\n<p><a name=\"TOTP vs HOTP\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>TOTP vs HOTP<\/strong><\/h2>\n\n\n\n<p>HOTP is a lot less bulletproof than the time-based one-time password algorithm. If a HOTP OTP token falls into a hacker&#8217;s hands, the criminal can write down the OTPs and use them at any time. The HOTP passes do not have an expiration time, the hacker just has to use one faster than the owner.<\/p>\n\n\n\n<p>Another drawback of HOTP is the server-token unsynchronization if the button on the device is pressed too many times. Remember, the counter increases with each new OTP? The server has no ability to follow how many times the token button is clicked since the physical tokens are completely offline. This is accounted for in the algorithm, but if someone clicks the button too many times unintentionally (a child plays with it), or intentionally (a criminal) the token is rendered useless.<\/p>\n\n\n\n<p>HOTP is also more vulnerable to <a href=\"https:\/\/www.protectimus.com\/blog\/brute-force-attack\/\">brute-force attacks<\/a> and other ways to guess the next OTP. The hacker would have to get access to the token and write down a few of the OTPs, the password guessing will take some serious computing and a few hours. But it\u2019s still possible.<\/p>\n\n\n\n<p>In the HOTP vs TOTP battle, TOTP security would certainly win. TOTP passwords have a limited lifespan. If a password provided by an RFC6238 TOTP generator is not used within 30, sometimes 60 seconds, it simply expires and can not be used for login. So writing the OTPs down won\u2019t do a hacker any good. The token button can be clicked as many times as your heart desires, it won\u2019t put the token and server out of sync.<\/p>\n\n\n\n<p>TOTP tokens do have their own issue \u2014 time drift. But we\u2019ve already solved it in programmable tokens Protectimus Slim NFC. Let\u2019s talk about it next.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><span style=\"color: #ff0000;\">| Read also:<\/span> <a href=\"https:\/\/www.protectimus.com\/blog\/2fa-security-flaws\/\">2FA Security Flaws You Should Know About<\/a><\/p>\n\n\n\n<p><a name=\"TOTP synchronization problem\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>TOTP synchronization problem<\/strong><\/h2>\n\n\n\n<p>A TOTP hardware token is completely offline, no network connection whatsoever. This makes it impenetrable for the majority of known hacker attacks. But the TOTP algorithm relies on the time, so the tokens are supplied with a clock of sorts \u2014 an oscillator. With no way to sync the time, a drift happens eventually. But the time the server has is always precise.<\/p>\n\n\n\n<p>The discrepancy is averagely 2 minutes per year. And yes, the algorithm has a synchronization window to allow for it. But OTP tokens have batteries with a long lifetime. So, in a few years, the drift inevitably overflows the sync window and becomes an issue. Eventually, the server and the TOTP device start to generate different values.<\/p>\n\n\n\n<p>We have a very detailed <a href=\"https:\/\/www.protectimus.com\/blog\/time-drift-in-totp-hardware-tokens\/\">blog post<\/a> on this problem and how we managed to fix it. So we won\u2019t delve into details and just say here that since May 2019 Protectimus Slim NFC devices have the synchronization issue fixed.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><span style=\"color: #ff0000;\">| Read also:<\/span> <a href=\"https:\/\/www.protectimus.com\/blog\/totp-tokens-protectimus-slim-nfc-faq\/\">TOTP Tokens Protectimus Slim NFC: FAQ<\/a><\/p>\n\n\n\n<p><a name=\"Protectimus TOTP tokens\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Protectimus TOTP tokens<\/strong><\/h2>\n\n\n\n<p>Time-based OTP algorithm is a widely applied MFA solution, there\u2019s even Google Authenticator TOTP mode. Protectimus can offer you three tokens developed with time-based OTP RFC specification.<\/p>\n\n\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td width=\"30%\"><strong>Token<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.protectimus.com\/slim-mini\/index.php\">Protectimus Slim NFC<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6055\" src=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/Protectimus-Slim-NFC.jpg\" alt=\"Programmable TOTP token Protectimus Slim NFC\" width=\"520\" height=\"347\" srcset=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/Protectimus-Slim-NFC.jpg 520w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/Protectimus-Slim-NFC-300x200.jpg 300w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/Protectimus-Slim-NFC-321x214.jpg 321w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/Protectimus-Slim-NFC-140x94.jpg 140w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><\/p>\n<p>\u00a0<\/p>\n<\/td>\n<td>\n<ul>\n<li>TOTP token card.<\/li>\n<li>New secret key can be re-programmed as many times as you wish. This means you can re-use the token once you stop using it for one website.<\/li>\n<li>A safer substitute for 2FA apps like TOTP Google authenticator.<\/li>\n<li>Time sync feature included.<\/li>\n<li>Waterproof.<\/li>\n<li>From 3 to 5 years of battery life.<\/li>\n<li>$29.99 per token<\/li>\n<li>12 months warranty.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.protectimus.com\/protectimus-two\/\">Protectimus TWO<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6051 size-full\" src=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/TOTP-token-Protectimus-Two.jpg\" alt=\"Classic TOTP token Protectimus Two\" width=\"593\" height=\"310\" srcset=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/TOTP-token-Protectimus-Two.jpg 593w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/02\/TOTP-token-Protectimus-Two-300x157.jpg 300w\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" \/><\/p>\n<\/td>\n<td valign=\"top\">\n<ul>\n<li>Key fob token.<\/li>\n<li>Can be used for the website or app login only if you can add its seed to the server side since the seed is hard-coded.<\/li>\n<li>Shockproof.<\/li>\n<li>Waterproof.<\/li>\n<li>From 3 to 5 years of battery life.<\/li>\n<li>11.99 per token<\/li>\n<li>12 months warranty.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.protectimus.com\/protectimus-smart\/\">Protectimus SMART OTP<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6644 size-full\" src=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart.jpg\" alt=\"Software OTP token Protectimus Smart OTP\" width=\"348\" height=\"348\" srcset=\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart.jpg 348w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart-300x300.jpg 300w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart-150x150.jpg 150w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart-160x160.jpg 160w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart-240x240.jpg 240w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart-60x60.jpg 60w, https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2020\/06\/software-authenticator-protectimus-smart-184x184.jpg 184w\" sizes=\"auto, (max-width: 348px) 100vw, 348px\" \/><\/p>\n<\/td>\n<td valign=\"top\">\n<ul>\n<li>Code generator app.<\/li>\n<li>Supports all the OATH algorithms.<\/li>\n<li>PIN code protected.<\/li>\n<li>Time sync feature included.<\/li>\n<li>Can be used for multiple websites and apps.<\/li>\n<li>If the app is deleted, the tokens created within it can&#8217;t be recovered.<\/li>\n<li>Completely free of charge.<\/li>\n<li>Available for <a href=\"https:\/\/itunes.apple.com\/app\/protectimus-smart\/id854508919?mt=8\">iOS<\/a> and <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.protectimus.android\">Android<\/a>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Read more:<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.protectimus.com\/blog\/two-factor-authentication-types-and-methods\/\">The Pros and Cons of Different Two-Factor Authentication Types and Methods<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/two-factor-authentication-solutions-comparison-google-authenticator-vs-protectimus\/\">Two-Factor Authentication Solutions Comparison: Google Authenticator vs. Protectimus<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/10-most-popular-2fa-apps-on-google-play\/\">10 Most Popular Two-Factor Authentication Apps Compared<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/electronic-visit-verification-system\/\">Electronic Visit Verification with Hardware Tokens<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/two-factor-authentication-for-windows\/\">Two-factor authentication for Windows 7, 8, 10<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/active-directory-two-factor-authentication\/\">Active Directory Two-Factor Authentication<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/2fa-chatbots-vs-sms-authentication\/\">2FA Chatbots vs. SMS Authentication<\/a><\/li><li><a href=\"https:\/\/www.protectimus.com\/blog\/duo-vs-protectimus\/\">Duo Security vs Protectimus<\/a><\/li><\/ul>\n<span class=\"et_bloom_bottom_trigger\"><\/span>","protected":false},"excerpt":{"rendered":"<p>Time-based one-time password algorithm (TOTP) is the focus of this post. But, before we delve deeper into the TOTP meaning, we&#8217;d like to mention the organization that is instrumental in the one-time password algorithms&#8217; existence \u2014 OATH, or Open AuTHentication. OATH is a collaboration of all sorts of specialists, who made their mission to create [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":6725,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[3,9,15],"tags":[16,12,120,407,139,581,99],"class_list":["post-6696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-engineering","category-protectimus-products","category-rd","tag-2fa","tag-mfa","tag-multifactor-authentication","tag-strong-authentication","tag-tokens","tag-totp","tag-two-factor-authentication"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts\/6696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/comments?post=6696"}],"version-history":[{"count":26,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts\/6696\/revisions"}],"predecessor-version":[{"id":6731,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/posts\/6696\/revisions\/6731"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/media\/6725"}],"wp:attachment":[{"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/media?parent=6696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/categories?post=6696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.protectimus.com\/blog\/wp-json\/wp\/v2\/tags?post=6696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}