Time-Based One-Time Password
This is a part of Multifactor authentication series
Time-Based One-Time Password (TOTP) is a one-time password (OTP) algorithm based on HOTP, with the difference of using time instead of a counter. During activation, the server generates a random secret key and shares it with the client. On each authentication, the client generates a hash value using the secret key and the time period (for example 30 seconds). The server does the same and compares the values.
Playground
TOTP is the time-based variant of this algorithm, where a value T, derived from a time reference and a time step, replaces the counter C in the HOTP computation.
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation.
Full requirements for TOTP are described in RFC.
- The algorithm MUST use HOTP as a basis
- Client and server MUST be able to get the current UNIX timestamp
- Client and server MUST use same time-step
In this section, we introduce the notation and describe the TOTP algorithm.
Notation and Symbols
List of symbols used in the algorithm:
| Symbol | Description |
|---|---|
| X | time step in seconds (default value is 30 and it is a recommended value) |
| T0 | start time (default value is 0, Unix epoch) in seconds |
| T | number of time steps between the initial counter time T0 and the current Unix time |
Description
Basically, we define TOTP as TOTP = HOTP(K, T), where T is an integer and represents the number of time steps between the initial counter time T0 and the current Unix time.
To calculate T, the following formulae can be used: T = floor((Current Unix time - T0) / X)
The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038. The value of the system parameters X and T0 are pre-established during the provisioning process and communicated between a prover and verifier as part of the provisioning step.