Overview#Time-based One-time Password Algorithm (TOTP) is defined in RFC 6238 as an extension of the One-time password (OTP) algorithm, namely the HMAC-based One-Time Password Algorithm (HOTP), as defined in RFC 4226, to support the time-based moving factor.
The HMAC-based One-Time Password Algorithm (HOTP) specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security. Time-based One-time Password Algorithm has been adopted as Internet Engineering Task Force standard RFC 6238 is the cornerstone of Initiative For Open Authentication OATH and is used in a number of multi factor authentication systems.
Time-based One-time Password Algorithm is an example of a hash-based message authentication code HMAC. Time-based One-time Password Algorithm combines a secret key with the current timestamp using a cryptographic Hash Functions to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.
The Time-based One-time Password Algorithm, uses the counter for a value derived from the current Unix Time. The derived value T, is calculated using an initial time T0 and a step X as follows:
T = (Current Unix time - T0) / X
Time-based One-time Password Algorithm is used by Google Authenticator and the e Yubico OATH applet.