Time-based One-time Password Algorithm
Encyclopedia
TOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based
One Time Password
algorithm HOTP
to support a time based moving factor. TOTP is an Internet Engineering Task Force
standard and a cornerstone of Initiative For Open Authentication
(OATH).
6238.
have implemented a version of TOTP in their Google Authenticator which is the basis of their two-factor authentication
.
HMAC
In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
One Time Password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
algorithm HOTP
HOTP
HOTP is an HMAC-based One Time Password algorithm. It is a cornerstone of Initiative For Open Authentication .HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation...
to support a time based moving factor. TOTP is an Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
standard and a cornerstone of Initiative For Open Authentication
Initiative For Open Authentication
Initiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
(OATH).
Applications
TOTP can be used to authenticate a user in a system via an authentication server. Also, if some more steps are carried out, the user can also authenticate the validation server.History
A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF. In May, 2011, TOTP officially became RFCRequest for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
6238.
Implementations
GoogleGoogle
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
have implemented a version of TOTP in their Google Authenticator which is the basis of their two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
.
External links
- RFC
- Initiative for Open Authentication
- OATH Toolkit is an implementation in C as a shared library, command line tool and PAM module