Citi Ventures & Goldman Sachs have joined as additional investors in our record-breaking $543M funding! Read more

Time-Based One-Time Passwords: The Good, the Bad and the Ugly

Timed-based one-time passwords (TOTP) have been broadly adopted by many service providers as an easy and convenient way to securely authenticate users. Additionally, most users have grown accustomed to using TOTP at work and at home for common consumer-centric online services.

Like every technology there are always trade-offs. Below we’ve gathered the top 3 advantages and 3 disadvantages for using a TOTP authenticator.

What is a TOTP?

Before we get into the pros and cons let’s take a closer look at what a TOTP authenticator is. If you’ve been using a dedicated authenticator app such as one from Google, Microsoft, or Salesforce, you may have noticed that these apps generate a 6-digit code that resets over a set period of time. This code allows you to authenticate to various supported systems by typing in the code when prompted. These codes are generated by a standardized algorithm called time-based one-time passwords (TOTP) that’s widely used by many systems as a shared secret method of authentication.

TOTP requires that the system that generates the code and the one that receives it both use a shared key and have their clocks synchronized. Once this is done, they each calculate a matched pair of one-time codes that are valid for the duration of the set time period before they expire. The user is then asked to type the code from their authenticator app into the system they are attempting to log into. The system compares this code to the one it’s generated and if they match the user is allowed to proceed.

You may have also come across one-time passwords (OTP). The difference between TOTP and OTP? A one-time password (OTP) is randomly generated and sent to your registered number or email for authentication of a transaction or as a means to gain access into an account. Unlike a TOTP which is valid for 30-60 seconds, OTPs are usually valid for around 5-10 minutes. While a OTP is sent to you, a TOTP is generated in a mobile app.

Pros of using TOTP

Can be used as a soft token

A TOTP authenticator can be embedded in both dedicated hardware tokens as well as implemented in software, typically as a mobile application such as Google Authenticator. By implementing it in software (also known as a software token) you avoid the costs associated with hardware manufacturing, distribution, inventory, and maintenance. Solutions like Transmit Security even let you brand your own TOTP authenticator augment it with other layers of security.

No Internet connection needed

This is probably one of the greatest advantages of TOTP. The devices that generate and accept TOTP codes can be completely offline. As long as the two devices share the same secret key and are synchronized, they can individually generate TOTP codes and compare them with one another.

Easy to use across applications and channels

You can use TOTP to access various types of applications and channels, such as the call center. Typically you would have a separate TOTP code between each application and the TOTP authenticator. Let’s say you use TOTP to log into 10 different systems. You can still use a single TOTP authenticator for that but the TOTP authenticator will generate 10 different codes, one per each application. You can avoid that by using a centralized authentication service such as Transmit Security that would accept a single TOTP code for all your systems and channels.

Cons of using TOTP

Can be phished and stolen

TOTP lacks context. You open the authenticator app, you get a code and then put it in the system that asks for it. A real-time phishing attack where the attacker impersonates a certain service website and asks for the TOTP code, allows the attacker to grab the code and then immediately use it to log into the service on the victim’s behalf. This is also true for social engineering attacks where the attacker asks the victim for the code, as well as man-in-the-middle traffic sniffing where the attacker can just read the code from the traffic.

Uses a shared secret

Using shared secrets is never a great security practice. It means that the service provider holds the secrets for all TOTP generators for all customers and if these secrets are stolen, the attacker can generate codes for users.

Device dependent

The TOTP generator is bound to the user’s device (for example mobile device or hardware token). If this device is stolen, lost, or breaks, the association between the service provider and the TOTP generator is lost and the service provider needs to re-issue a TOTP authenticator for the user. At this point, the service provider cannot rely on the TOTP generator to authenticate the user and needs to find other ways of validating the user before re-issuing the generator. Many providers would fall back to passwords and SMS codes at this point, which are a less secure mechanism than TOTP. This means that their implementation of TOTP is only as strong as passwords or SMS codes.