Time-based One-time Password Algorithm


Time-based One-time Password Algorithm (TOTP) is defined in RFC 6238 as an extension of the One-time password (OTP) algorithm, namely the HMAC-based One-Time Password Algorithm (HOTP), as defined in RFC 4226, to support the time-based moving factor.

Time-based One-time Password Algorithm is generated by HMAC(Shared Secret, timestamp), where timestamp typically change, by default, every 30 seconds.

The HMAC-based One-Time Password Algorithm (HOTP) specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security. Time-based One-time Password Algorithm has been adopted as Internet Engineering Task Force standard RFC 6238 is the cornerstone of Initiative For Open Authentication Initiative for Open Authentication and is used in a number of multi factor authentication systems.

Time-based One-time Password Algorithm is an example of a hash-based message authentication code HMAC. Time-based One-time Password Algorithm combines a secret key with the current timestamp using a cryptographic Hash Functions to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

The Time-based One-time Password Algorithm, uses the counter for a value derived from the current Unix Time. The derived value T, is calculated using an initial time T0 and a step X as follows:

T = (Current Unix time - T0) / X
Each generated OTP is valid for X seconds, by default 30.

Time-based One-time Password Algorithm is used by Google Authenticator and the e Yubico Initiative for Open Authentication applet.

More Information#

There might be more information for this subject on one of the following: