Time-based one-time password: Difference between revisions
→See also: per WP:SEEALSO, this section is for links that aren't already linked in the article |
WP:MOSHEAD, tidy ref (wordpress spells authentication correctly) |
||
| Line 30: | Line 30: | ||
A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF.<ref>{{cite web |url=http://www.openauthentication.org/news/20080408|title=OATH Submits TOTP: Time-Based One Time Password Specification to IETF|last=Alexander|first=Madison|work=Open Authentication|date=|accessdate=22 February 2010}}</ref> In May, 2011, TOTP officially became [[Request for Comments|RFC]] 6238.<ref name="RFC6238" /> |
A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF.<ref>{{cite web |url=http://www.openauthentication.org/news/20080408|title=OATH Submits TOTP: Time-Based One Time Password Specification to IETF|last=Alexander|first=Madison|work=Open Authentication|date=|accessdate=22 February 2010}}</ref> In May, 2011, TOTP officially became [[Request for Comments|RFC]] 6238.<ref name="RFC6238" /> |
||
== |
==Server implementations== |
||
* [[Google]] has implemented TOTP in its [[Google Authenticator]] which is the basis of its [[two-factor authentication]].<ref>{{cite web |url=http://code.google.com/p/google-authenticator|title=google-authenticator - Project Hosting on Google Code|accessdate=22 February 2010}}</ref> |
* [[Google]] has implemented TOTP in its [[Google Authenticator]] which is the basis of its [[two-factor authentication]].<ref>{{cite web |url=http://code.google.com/p/google-authenticator|title=google-authenticator - Project Hosting on Google Code|accessdate=22 February 2010}}</ref> |
||
* [[Facebook]] uses TOTP for its "Login approval" and "Code generator". <ref>{{cite web |url=https://www.facebook.com/help/413023562082171/|title=Extra security feature|accessdate=30 january 2014}}</ref> |
* [[Facebook]] uses TOTP for its "Login approval" and "Code generator". <ref>{{cite web |url=https://www.facebook.com/help/413023562082171/|title=Extra security feature|accessdate=30 january 2014}}</ref> |
||
| Line 44: | Line 43: | ||
* [[LinOTP]] is open source and supports various TOTP and [[HOTP]] client authenticators |
* [[LinOTP]] is open source and supports various TOTP and [[HOTP]] client authenticators |
||
* [[multiOTP]] is an opensource PHP implementation for HOTP, TOTP, mOTP and other tokens. It can be used as a command line tool, integrated in a web site, as a web service, as a radius plugin, etc. |
* [[multiOTP]] is an opensource PHP implementation for HOTP, TOTP, mOTP and other tokens. It can be used as a command line tool, integrated in a web site, as a web service, as a radius plugin, etc. |
||
* [[Wordpress]] has enabled the technology for account access.<ref>{{cite web | |
* [[Wordpress]] has enabled the technology for account access.<ref>{{cite web |url=http://en.support.wordpress.com/security/two-step-authentication |title=Two Step Authentication |publisher=Worpress |accessdate=29 January 2014}}</ref> |
||
Wordpress Two Step Authenication|accessdate=29 January 2014}}</ref> |
|||
==Client |
==Client implementations== |
||
* [[Google Authenticator]] client for [[Android (operating system)|Android]], [[iOS]], and [[BlackBerry]], and also [[Pluggable Authentication Modules|PAM]] module for the server side. |
* [[Google Authenticator]] client for [[Android (operating system)|Android]], [[iOS]], and [[BlackBerry]], and also [[Pluggable Authentication Modules|PAM]] module for the server side. |
||
* [http://www.nongnu.org/oath-toolkit/ OATH Toolkit] Open source library and command line implementation of client for [[Linux]] systems, and also [[Pluggable Authentication Modules|PAM]] module for the server side. |
* [http://www.nongnu.org/oath-toolkit/ OATH Toolkit] Open source library and command line implementation of client for [[Linux]] systems, and also [[Pluggable Authentication Modules|PAM]] module for the server side. |
||
Revision as of 20:10, 8 February 2014
TOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor. A moving factor is a value that must be changed each time a new password is generated in order to ensure that a different password is always generated. So a password generated at 12:00:01 will be different than one generated at 12:00:31 even if other items used to generate it are the same. Note: the time difference only cares about intervals in 30 second amounts. So a password generated 12:00:01 will be the same as one generated at 12:00:15 and 12:00:29. TOTP is an Internet Engineering Task Force standard[1] and a cornerstone of Initiative For Open Authentication (OATH).
Applications
TOTP can be used to authenticate a user in a system via an authentication server. If some more steps are carried out, the user can also authenticate the validation server.
Definition
TOTP is based on HOTP where timestamp replaces the incrementing counter. The current timestamp is turned into a time-counter by defining the start of an epoch (T0) and counting in units of a time step (TS). For example - TC = (unixtime(now) - unixtime(T0)) / TS
TOTP = HOTP(SecretKey, TimeCounter), where HOTP is defined below.
- TOTP-Value = TOTP(K,TC) mod 10d, where d is the desired number of digits
Let:
- K be a secret key
- C be a counter
- HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) be an HMAC calculated with the SHA-1 cryptographic hash algorithm
- Truncate be a function that selects 4 bytes from the result of the HMAC in a defined manner
Then HOTP(K,C) is mathematically defined by
- HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
The mask is to disregard the most significant bit to provide better interoperability between processors.[citation needed]
For HOTP to be useful for an individual to input to a system, the result must be converted into a HOTP value, a 6–8 digits number that is implementation dependent.
- HOTP-Value = HOTP(K,C) mod 10d, where d is the desired number of digits
History
A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF.[2] In May, 2011, TOTP officially became RFC 6238.[1]
Server implementations
- Google has implemented TOTP in its Google Authenticator which is the basis of its two-factor authentication.[3]
- Facebook uses TOTP for its "Login approval" and "Code generator". [4]
- Amazon Web Services also supports TOTP for AWS console logins using Amazon Virtual MFA or Google Authenticator.[5]
- Dropbox has enabled the technology for account access.[6]
- Evernote has enabled the technology for account access.
- GitHub has enabled the technology for account access.[7]
- Gandi has enabled the technology for account access.[8]
- Linode has enabled the technology for account access.[9]
- LastPass also supports TOTP.[10]
- LinOTP is open source and supports various TOTP and HOTP client authenticators
- multiOTP is an opensource PHP implementation for HOTP, TOTP, mOTP and other tokens. It can be used as a command line tool, integrated in a web site, as a web service, as a radius plugin, etc.
- Wordpress has enabled the technology for account access.[11]
Client implementations
- Google Authenticator client for Android, iOS, and BlackBerry, and also PAM module for the server side.
- OATH Toolkit Open source library and command line implementation of client for Linux systems, and also PAM module for the server side.
- Microsoft's Authenticator, a client for Windows Phone
- Red Hat's FreeOTP, a open-source client for Android and iOS.
- Authy, closed source iOS and Android client.
References
- ^ a b "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm". Retrieved July 13, 2011.
- ^ Alexander, Madison. "OATH Submits TOTP: Time-Based One Time Password Specification to IETF". Open Authentication. Retrieved 22 February 2010.
- ^ "google-authenticator - Project Hosting on Google Code". Retrieved 22 February 2010.
- ^ "Extra security feature". Retrieved 30 january 2014.
{{cite web}}: Check date values in:|accessdate=(help) - ^ "AWS Multi-Factor Authentication". Retrieved 6 March 2012.
- ^ "Another layer of security for your Dropbox account". Retrieved 4 May 2013.
- ^ "About Two-Factor Authentication". Retrieved 4 September 2013.
- ^ "Gandi rolls out two-factor authentication". Retrieved 21 November 2013.
- ^ "Linode Manager Two-Step Authentication". Retrieved 2 May 2013.
- ^ "Introducing Support for Google Authenticator". Retrieved 4 November 2011.
- ^ "Two Step Authentication". Worpress. Retrieved 29 January 2014.