Time-based One-time Passwords (TOTP)

Through this article, I’m going to take a deep dive into time based one time password which is commonly known as TOTP. First thing first. Let’s start with the basics

What is two factor authentication?

The following factors are the three commonly accepted authentication factors, used to prove your identity when logging into a service.

1. Something you know[Knowledge]— Password or PIN, etc.
2. Something you have[Possession] — A trusted device with secret key, etc.
3. Something you are[Inherence] — Fingerprint or face detection, etc.

If hackers remotely steal your knowledge factor (e.g. password), then they still shouldn’t be able to get into your account because they won’t have physical access to your possession factor (e.g. your trusted device). At this point TOTP steal the spotlight.

I hope you know that two factor authentication adds an extra layer of security. But how??? I’ll explain :) This simply means, even if you password has been stole, access your account without your mobile device will not be possible. That motivates users to enable 2FA.

Registration flow of TOTP

Let’s move into the registration flow of TOTP with the following diagram. Here Bob tries to login to the travelocity application by providing his credentials. Then application displays a QR code in Bob’s browser to scan it with an authenticator app on his trusted device. If Bob does not already have an authenticator app, before continuing he must install an app that the service provider will be recommend or any other compatible app that implements the TOTP algorithm.

After scanning the QR code, the authenticator app start to generate one time passwords(OTP) which are typically 6 digit long and expire in 30 seconds. Then Bob will type the current OTP on his trusted device into his browser. Then application will validate the OTP and enable TOTP 2FA on Alice’s account.

There are many apps available to get the TOTP which are implement according to the TOTP specification. The most common example for TOTP apps are Google Authenticator and the Microsoft Authenticator. Below screenshot is from the app that I’m using to get the TOTPs.

Shared secret key via QR code

There is no magic behind QR codes. It’s just math!!!. QR code is simply a way of encoding some data. If you have QR code scanner, just scan the following image and see!!! Then you will understand :P

You also can check out the QR Code Generator and type some text in the box to see how QR code is changing based on the text you are typing. Then you can download a QR Scanner app and scan and verify the text you get is same as the text you have typed.

In TOTP, QR code is used to encode a specially formatted URI that contains the required information to generate OTP codes in the authenticator app. The following URI is a sample.

otpauth://totp/"+issuer+":"+displayUsername+"?secret="+secretKey+"&issuer="+issuer+"&period="+timeStep;

The URI starts with a “otpauth://” and then the algorithm is defined. The algorithm can be either HOTP or TOTP which I will explain in this blog. Therefore by scanning the QR code, authenticator app can get to know what is the TOTP algorithm that authenticator will be used to authenticate the user. Most importantly, the URI will have the shared secret and the service provider name. Other than that it can be also include the details like username, hash alogorithm, number of digits and expiry time of OTP, etc. Therefore with the information provided trough the URI, authenticator app can generate the OTP accordingly to authenticate with the TOTP authenticator that user is trying.

OTP generation and validation

The TOTP: Time-Based One-Time Password Algorithm is used to generate short-lived one time passwords. This algorithm is an extension of HOTP: HMAC-Based One-Time Password Algorithm where the “HMAC” stands for Hash-based Message Authentication Code.

The HOTP algorithm introduces a shared counter in order to calculate the OTP. In HOTP user’s trusted device and the service provider keep track of a local counter that starts with a value of zero (0).

hash (shared secret + shared counter) = OTP

In TOTP, shared secret is hashed along with the time to generate the OTP as shown below. HOTP is the key building block of TOTP. TOTP works in a similar way as HOTP, where the shared counter in HOTP replaces with the shared counter with the current time in TOTP.

hash (shared secret + time) = OTP

The shared secret and the current time will input to hash function in the implemented TOTP algorithm on the trusted device while the server has the shared secret and the same current time by Network Time Protocol (NTP) to run the exact same calculation. Therefore the service provider can validate the OTP entered the user during the registration and the authentication since based on TOTP algorithm the same calculation is being done in both service provider and the user’s trusted device.

The OTP changes at a static interval, as it get the current time as an input. Since OTP is changing within a very short time interval, the possibility for a brute force attack is very low(technically unlike) as the attacker has smaller time of opportunity.

Hope now you know why we need to use TOTP as MFA and how it works. WSO2 Identity Server provides MFA with TOTP which is implemented according to the TOTP specification. That will help you to secure your applications. You can check that out by the WSO2 Identity Server documentations from here.

Happy reading!!!