Time-based One-time Password Algorithm

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet Engineering Task Force standard RFC 6238,[1] is the cornerstone of Initiative For Open Authentication (OATH), and is used in a number of two-factor authentication systems.

TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

In a typical two-factor authentication application, user authentication proceeds as follows: a user enters username and password into a website or other server, generates a one-time password for the server using TOTP running locally on a smartphone or other device, and types that password into the server as well. The server then also runs TOTP to verify the entered one-time password. For this to work, the clocks of the user's device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 time interval from the client's timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user's device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP.


TOTP is based on HOTP with a timestamp replacing the incrementing counter.

The current timestamp is turned into an integer time-counter (TC) by defining the start of an epoch (T0) and counting in units of a time step (TS). For example:

TC = floor((unixtime(now) − unixtime(T0)) / TS),
TOTP = HOTP(SecretKey, TC),
TOTP-Value = TOTP mod 10d, where d is the desired number of digits of the one-time password.


According to RFC 6238, the reference implementation is as follows:

  • Generate a key, K, which is an arbitrary byte string, and share it securely with the client.
  • Agree upon an epoch, T0, and an interval, TI, which will be used to calculate the value of the counter C (defaults are the Unix epoch as T0 and 30 seconds as TI)
  • Agree upon a cryptographic hash method (default is SHA-1)
  • Agree upon a token length, N (default is 6)

Although RFC 6238 allows different parameters to be used, the Google implementation of the authenticator app does not support T0, TI values, hash methods and token lengths different from the default. It also expects the K secret key to be entered (or supplied in a QR code) in base-32 encoding according to RFC 3548.[2]

Once the parameters are agreed upon, token generation is as follows:

  1. Calculate C as the number of times TI has elapsed after T0.
  2. Compute the HMAC hash H with C as the message and K as the key (the HMAC algorithm is defined in the previous section, but also most cryptographical libraries support it). K should be passed as it is, C should be passed as a raw 64-bit unsigned integer.
  3. Take the least 4 significant bits of H and use it as an offset, O.
  4. Take 4 bytes from H starting at O bytes MSB, discard the most significant bit and store the rest as an (unsigned) 32-bit integer, I.
  5. The token is the lowest N digits of I in base 10. If the result has fewer digits than N, pad it with zeroes from the left.

Both the server and the client compute the token, then the server checks if the token supplied by the client matches the locally generated token. Some servers allow codes that should have been generated before or after the current time in order to account for slight clock skews, network latencies and user delays.

Weaknesses and vulnerabilities[edit]

The use of shared-secrets means that customer tokens can be emulated by anyone who steals those secrets (e.g.: break-ins at the server side stealing customer database info).

Because TOTP devices have batteries that go flat, clocks that can de-sync, and because software versions are on phones that users can lose or have stolen, all real-world implementations have methods to bypass the protection (e.g.: printed codes, email-resets, etc.), which can cause a considerable support burden for large user-bases, and also gives fraudsters additional vectors to exploit.

TOTP codes are valid for longer than the amount of time they show on the screen (usually two or more times longer). This is a concession that the authenticating and authenticated sides' clocks can be skewed by a large margin.

Most TOTP codes are unprotected (always show on a device screen, or can be seen inside text messages, often without needing to unlock the phone, or can be read simply by any unwanted user (e.g.: workmate, peers, kids) opening an app). Malware can also be installed on mobile devices to capture TOTP SMS messages or forward calls containing TOTP codes.[3]


A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF.[4] In May, 2011, TOTP officially became RFC 6238.[1]

Server implementations[edit]

  • Microsoft has implemented TOTP in its "two-step verification".[5]
  • Salesforce.com has implemented TOTP for account access and for step-up authentication when accessing parts of the application that requires high level security session.
  • ServiceNow has implemented TOTP for authentication since Geneva Release.[6]
  • Google has implemented TOTP in its Google Authenticator which is the basis of its two-factor authentication.[7]
  • Facebook uses TOTP for its "Login approval" and "Code generator".[8]
  • Amazon Web Services also supports TOTP for AWS console logins using AWS Virtual MFA or Google Authenticator.[9]
  • Bitbucket,[10] Dropbox,[11] Evernote,[12] Gandi,[13] GitHub,[14] LastPass,[15] Linode,[16] and WordPress[17] have enabled the technology for account access.
  • Hover has enabled the technology for account access.[18]
  • LinOTP is open source and supports various TOTP and HOTP client authenticators
  • TOTP is a minimal open source TOTP implementation in PHP, with support for various authenticators including Google Authenticator
  • TwoFactorAuth.Net is a well documented, well tested, open source TOTP implementation in C# available as NuGet package
  • TwoFactorAuth is a well documented, well tested, open source TOTP implementation in PHP available as Composer package
  • OpenAM is an open source Java based Single Sign On server that supports various TOTP and HOTP client authenticators
  • multiOTP is an opensource PHP implementation for HOTP, TOTP, mOTP and other tokens. It can be used as a command line tool, integrated in a web site, as a web service, as a radius plugin, etc.
  • privacyIDEA is an authentication backend that supports TOTP, HOTP, OCRA, mOTP and other token types like ssh public keys.
  • XenForo has an add-on to enable the technology for account access.[19]
  • CMO COMPLIANCE a Health, Safety & Environment Software Solution has implemented TOTP for account access authentication.
  • Symantec's VIP Access two-factor authentication is based on TOTP, as discovered through reverse engineering of the provisioning protocol.[20]
  • Token2 TOTPRadius : a RADIUS server designed for two-factor authentication
  • TOTP-Hack: An open-source implentation of TOTP in HackLang

Client implementations[edit]

  • 1Password, an OS X, Windows, iOS, Android and Windows Phone credentials-management and wallet client.
  • AuthShield, a closed source iOS, Android, BlackBerry, and Windows Phone client. Other form factors include Hard Token, implementing TOTP in addition to a challenge response authentication method.
  • Authy, a closed source iOS and Android client.
  • Authenticator Plus, a closed source iOS and Android client.
  • Google Authenticator, a closed source (open source up to version 2.21) client for Android, iOS, and BlackBerry. There is also a PAM module for the server side.
  • Firekey, an open-source,[21] web-based client with offline capability.
  • KeePass, an open-source client that runs on Windows, OS X, and Linux using .NET/Mono, can use any of several plugins for this.
  • Lockdown, a closed source iOS client.
  • Microsoft's Authenticator, a closed source client for Windows Phone.
  • Nitrokey has various USB token models capable of HOTP, TOTP, as well as the OpenPGP card protocol. Further Nitrokey's firmware and hardware are available as open source.
  • Oathgen BSD licensed command line HOTP and TOTP client for Windows, Linux, BSD and Macintosh operating systems.
  • OATH Toolkit, an open source library and command line implementation of client for Linux systems, and also a PAM module for the server side.
  • Red Hat's FreeOTP, an open-source client for Android, iOS, and Pebble (experimental).
  • QuickAuth, a client for the Pebble smartwatch.
  • Salesforce#, a client for iOS and Android.
  • SailOTP, a free software Sailfish OS client.
  • Zetetic STRIP (Secure Tool for Recalling Important Passwords), a password database for iOS, Android, Windows, and OS X.
  • Duo Mobile, a client for iOS, Android, BlackBerry, Windows Phone, and other mobile platforms, implements TOTP in addition to a proprietary push-based authentication method.
  • Authenticator, an extension for Google Chrome and Chrome OS.
  • GAuth, a web application.
  • TOTPME, a client for J2ME-compatible phones (including Nokia Series 40 and Symbian).
  • Token2, a client for Android, iOS and Windows Phone supporting TOTP with additional PIN protection.
  • Yubico Authenticator, an open source client for Android that stores secrets on a YubiKey NEO.
  • Digipass for Mobile, a client for iOS, Android, Blackberry and Windows Phone


  1. ^ a b "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm". Retrieved July 13, 2011. 
  2. ^ "KeyUriFormat". Retrieved 5 August 2014. 
  3. ^ Kirk, Jeremy. "Android malware steals one-time passcodes to hijack accounts protected by two-factor authentication". PCWorld. Retrieved 17 January 2015. 
  4. ^ Alexander, Madison. "OATH Submits TOTP: Time-Based One Time Password Specification to IETF". Open Authentication. Retrieved 22 February 2010. 
  5. ^ "Microsoft Account Gets More Secure". The Official Microsoft Blog. Retrieved 17 April 2013. 
  6. ^ "Multifactor authentication". 
  7. ^ "google-authenticator – Project Hosting on Google Code". Retrieved 22 February 2010. 
  8. ^ "Extra security feature". Retrieved 30 January 2014. 
  9. ^ "AWS Multi-Factor Authentication". Retrieved 6 March 2012. 
  10. ^ "Two-step verification is here". Retrieved 11 September 2015. 
  11. ^ "Another layer of security for your Dropbox account". Retrieved 4 May 2013. 
  12. ^ "Two-Step Verification Available to All Users". Retrieved 5 January 2015. 
  13. ^ "Gandi rolls out two-factor authentication". Retrieved 21 November 2013. 
  14. ^ "About Two-Factor Authentication". Retrieved 4 September 2013. 
  15. ^ "Introducing Support for Google Authenticator". Retrieved 4 November 2011. 
  16. ^ "Linode Manager Two-Step Authentication". Retrieved 2 May 2013. 
  17. ^ "Two Step Authentication". WordPress. Retrieved 29 January 2014. 
  18. ^ "Two-step Signin is Here". Retrieved 25 February 2014. 
  19. ^ "[FreddysHouse] Two-factor Authentication". FreddysHouse. Retrieved 10 February 2014. 
  20. ^ "Reversing the Symantec VIP Access Provisioning Protocol". September 29, 2014. 
  21. ^ "fwenzel/firekey". Retrieved 14 September 2015.