Time-based One-time Password algorithm


The Time-based One-time Password algorithm is an extension of the HMAC-based One-time Password algorithm generating a one-time password by instead taking uniqueness from the current time. It has been adopted as Internet Engineering Task Force standard RFC 6238, is the cornerstone of Initiative for Open Authentication, and is used in a number of two-factor authentication systems.
Because of latency, both network and human, and unsynchronised clocks, the one-time password must validate over a range of times between the authenticator and the authenticatee. Here, time is downsampled into larger durations to allow for validity between the parties. However, as with HOTP the decreased uniqueness requires additional countermeasures, such as rate limiting.

Algorithm

To establish TOTP authentication, the authenticatee and authenticator must pre-establish both the HOTP parameters and the following TOTP parameters:
Both the authenticator and the authenticatee compute the TOTPvalue, then the authenticator checks if the TOTPvalue supplied by the authenticatee matches the locally generated TOTPvalue. Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.

TOTP value

TOTP uses the HOTP algorithm, substituting the counter with a non-decreasing value based on the current time.
The time counter, C, is an integer counting the number of durations, T, in the difference between the current Unix time, T, and some epoch ; the latter values all being in integer seconds.
Note that Unix time is not strictly increasing. When a leap second is inserted into UTC, Unix time repeats one second. But a single leap second does not cause the integer part of Unix time to decrease, and C is non-decreasing as well so long as T is a multiple of one second.

Practical considerations

For subsequent authentications to work, the clocks of the authenticatee and the authenticator need to be roughly synchronized.

Weaknesses and vulnerabilities

TOTPvalues can be phished like passwords, though this requires attackers to proxy the credentials in real time.
Implementations that don't limit login attempts are vulnerable to brute forcing of values.
An attacker who steals the shared secret can generate new, valid TOTPvalues at will. This can be a particular problem if the attacker breaches a large authentication database.
Because TOTP devices have consumable batteries and clocks that can de-synchronize, and can be lost and/or stolen, all real-world implementations have backup methods to bypass the protection. This can create significant support costs for services with large user-bases, and also provide weak points for attackers to try first.
TOTPvalues are valid for longer than the amount of time they show on the screen. This is a concession that the authenticating and authenticated sides' clocks can be skewed by a large margin.

History

A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF. In May, 2011, TOTP officially became RFC 6238.