What is TOTP and How Does it Work?

What is TOTP and How Does it Work?

The development of secure access to applications and cloud-based software is an ongoing challenge for companies across all industries. Ensuring that users are protected with simple but reliable security will help you protect your company's data, which in turn protects both their personal information as well as sensitive corporate assets like proprietary product designs or customer lists.


One of the best ways to combat password theft and other types of cyberattacks is through one-time passwords. OTPs are a form of multi-factor authentication (MFA) designed as an additional layer, making it much harder for hackers to access protected information.


In order to access an application or system, a user needs not only their password but also additional credentials. For example: if the MFA is SMS-based then it will send them one text with a numeric string in which they must enter before being granted access-- this code can be considered as OTPs (One Time Passwords).


For B2B and B2C companies, the incentive to protect their user data while maintaining a great UX means that whatever security solution they choose needs to be streamlined without drastically interfering with workflow.


OTP authentication is an elegant solution to both security concerns and UX. There are two types of OTP: HOTP and TOTP. We’ll get into the differences of each below. But first, let’s dig a little deeper into OTP.


What is OTP and How Does it Work?

A one-time password (OTP) is like a password, but it can only be used once. OTPs are often combined with regular passwords as an additional authentication mechanism - this provides extra security for both types of accounts.


OTPs are a great way to increase security and make it hard for bad actors. The first time you use an OTP, like your bank account password or credit card code-you're done. That means the next time someone tries accessing that private information they will need another set of one-time codes which makes hacking into accounts much more challenging than just repeating old PINs over again because those passwords won't work anymore after being used once already.


OneLogin Protect is a free app on your phone that generates OTPs for any site or application. Whenever you receive an SMS text with the code to help access certain websites, these are known as One Time Passwords (OTP).


There are a variety of industry-standard algorithms, such as SHA-1. These two input codes generate the OTP code which can be used to access your account with any major internet provider or payment processor. All of these algorithms use two inputs to generate the OTP code: a seed and a moving factor. The seed is a static value (secret key) that’s created when you establish a new account on the authentication server.


While the seed doesn’t change, the moving factor does each time a new OTP is requested. How the moving factor is generated is the big differentiator between HOTP and TOTP.


What is HOTP?

The “H” in HOTP stands for Hash-based Message Authentication Code. Put simply, HMAC based One Time Password algorithm is an event-based OTP where the moving factor of each code depends on a counter to make it difficult for someone else trying to guess your password!


Every time you request and validate your hotp through the yubikey, it increments by one. The generated code is valid until another One Time Passcode (HOTP) has been requested from an authentication server; when this occurs - they will sync up again so that both can recognize each other's work together- creating access for you as needed. The OTP generator featured in this article uses HOTP technology to generate security codes which are then validated upon request via yubiko’s devices or websites


What is TOTP?

Time-based One-Time Password (TOTP) is a time-based OTP. The seed for TOTPs is static, just like in HOTPs but instead of being counter-based, they use the moving factor to generate an alphanumeric code that changes every minute.


As a rule, the amount of time in which each password is valid tends to be 30 seconds or 60 seconds. This is called a timestep. If you haven’t used your current one within that window and tried again afterward (or if an error occurs), it will no longer work and needs replacing with another new/old one for entry into application access once more.


Limitations and Advantages

Using MFA can be more secure, but there are limitations. One of the biggest problems with it is that if you don't enter your password right away then it might expire before you do and this could cause issues for users who have very little time on their hands or need to use different devices every day.


This leads us to TOTP (the newer technology). It's easy enough to set up; all one has to worry about really are passwords themselves which most people already know how encryptions work by now anyway. However - since these protect against cyberattacks where someone tries guessing letters/numbers in hopes they'll hit upon something recognizable.


Since HOTP doesn’t have a time-based limitation, it’s a little more user-friendly, but maybe more susceptible to brute-force attacks. That’s because of a potentially longer window in which the HOTP is valid. Some forms of HOTP have accounted for this vulnerability by adding a time-based component to their code, somewhat blurring the lines between these two types of OTP.


A Final Word

There are many ways to protect yourself from email-based and SMS-based MFA scams. One way is by choosing an OTP generator app, such as those found in authenticator apps or key fob codes that can be generated on your phone instead of sending someone a message with the code directly through text messaging. Regardless of which type of OTP you use, choosing an OTP generator like an authenticator app or key fob is a safer way to use MFA than the SMS texting options. Scammers have found creative ways to intercept these SMS codes, whether it’s through SIM card fraud or some other type of hack that helps them gain access to your texts. While SMS-based MFAs might be better than no MFA at all, they’re a lot less secure than having an authenticator app on your phone or using a key fob code generator.


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.

Have more questions?
Submit a request
Share it, if you like it.