Time-based One-time Password Algorithm

TOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor. A moving factor is a value that must be changed each time a new password is generated in order to ensure that a different password is always generated. So a password generated at 12:00:01 will be different than one generated at 12:00:31 even if other items used to generate it are the same. Note: the time difference only cares about intervals in 30 second amounts. So a password generated 12:00:01 will be the same as one generated at 12:00:15 and 12:00:29. TOTP is an Internet Engineering Task Force standard^[1] and a cornerstone of Initiative For Open Authentication (OATH).

Applications

TOTP can be used to authenticate a user in a system via an authentication server. If some more steps are carried out, the user can also authenticate the validation server.

History

A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF.^[2] In May, 2011, TOTP officially became RFC 6238.^[1]

Public Server Implementations

• Google has implemented TOTP in its Google Authenticator which is the basis of its two-factor authentication.^[3]
• Amazon Web Services also supports TOTP for AWS console logins using Amazon Virtual MFA or Google Authenticator.^[4]
• Dropbox has enabled the technology for account access.^[5]
• Linode has enabled the technology for account access.^[6]
• LastPass also supports TOTP.^[7]
• LinOTP is open source and supports various TOTP and HOTP client authenticators
• totp-cgi is an open-source TOTP verification and provisioning server implemented as a Python CGI

Client Implementations

• Barada Android app for the client side and PAM module for the server side.
• Google Authenticator open-source client for Android, iOS, and BlackBerry, and also PAM module for the server side.
• OATH Toolkit GNU library and command line implementation of client for Linux systems, and also PAM module for the server side.
• Duo Security Duo Mobile for Android and iOS clients ^[8]
• Authomator BlackBerry 10 client.
• Authenticator Windows Phone client for TOTP. Works with Microsoft Account, Google account authorizations.

See also

• Initiative For Open Authentication
• HOTP

References

1. "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm". Retrieved July 13, 2011. 
2. Alexander, Madison. "OATH Submits TOTP: Time-Based One Time Password Specification to IETF". Open Authentication. Retrieved 22 February 2010. 
3. "google-authenticator - Project Hosting on Google Code". Retrieved 22 February 2010. 
4. "AWS Multi-Factor Authentication". Retrieved 6 March 2012. 
5. "Another layer of security for your Dropbox account". Retrieved 4 May 2013. 
6. "Linode Manager Two-Step Authentication". Retrieved 2 May 2013. 
7. "Introducing Support for Google Authenticator". Retrieved 4 November 2011. 
8. https://blog.duosecurity.com/2012/11/announcing-two-factor-authenticaton-for-third-party-accounts/

External links

• RFC
• Initiative for Open Authentication
• OATH Toolkit is an implementation in C as a shared library, command line tool and PAM module