Time Based One Time Password (TOTP, OTP)
A Time-Based One-Time Password (TOTP, or OTP) is a string of dynamic digits of code, whose change is based on time. Often, these appear as sic-digit numbers that regenerate every 30 seconds.
TOTPs are derived from a secret seed password given at user registration in the form of QR code or in plaintext. TOTPs (and their seeds) are deployed on either hardware security tokens or as soft tokens, meaning mobile device apps that display the numbers. TOTP uses Greenwich Mean Time (GMT) to cipher a code from the secret.
TOTPs are used for two-factor authentication (2FA) or multi-factor authentication (MFA), layered atop shared-secret based static password authentication. After a user has entered a username and password, they are prompted to input a valid TOTP in an additional login field as proof of possession.
Some TOTP-based 2FA and MFA works by having the TOTP arrive on the user’s smartphone via SMS text message. This implementation, however, has for years been deprecated by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US federal government that researches and promotes technology innovation. The body observed that SMS 2FA and MFA are unsafe due to a known vulnerability in SS7, the protocol that enables different mobile network operators (MNOs) to communicate.
Barring a Man-in-the-Middle (MITM) attack, or compromise of their root secret, TOTPs add security to already-weak password authentication. Wwithout eavesdropping on SS7 or knowledge of the secret, for most hackers the codes are infeasible to anticipate as they are time-limited.
“My hardware token displays a TOTP that I use to log into my workstation. I begin by entering my username and password. Then I’m prompted for the TOTP, which I read off of the token and type into the third login field. Once I’ve done so, I’m logged in. I need to act fast because these codes start expiring, which — if I’m too slow — sometimes yields a login misfire and I need to try again with a fresher TOTP.”