From Wikipedia, the free encyclopedia - View original article
TOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor. A moving factor is a value that must be changed each time a new password is generated in order to ensure that a different password is always generated. So a password generated at 12:00:01 will be different than one generated at 12:00:31 even if other items used to generate it are the same. Note: the time difference only cares about intervals in 30 second amounts. So a password generated 12:00:01 will be the same as one generated at 12:00:15 and 12:00:29. TOTP is an Internet Engineering Task Force standard and a cornerstone of Initiative For Open Authentication (OATH).
TOTP can be used to authenticate a user in a system via an authentication server. If some more steps are carried out, the user can also authenticate the validation server.
TOTP is based on HOTP where timestamp replaces the incrementing counter. The current timestamp is turned into a time-counter by defining the start of an epoch (T0) and counting in units of a time step (TS). For example - TC = (unixtime(now) - unixtime(T0)) / TS
TOTP = HOTP(SecretKey, TimeCounter), where HOTP is defined below.
Then HOTP(K,C) is mathematically defined by
For HOTP to be useful for an individual to input to a system, the result must be converted into a HOTP value, a 6–8 digits number that is implementation dependent.
A TOTP draft was developed through the collaboration of several OATH members in order to create an industry-backed standard. It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines. In 2008, OATH submitted a draft version of the specification to the IETF. This version incorporates all the feedback and commentary that the authors received from the technical community based on the prior versions submitted to the IETF. In May, 2011, TOTP officially became RFC 6238.