One-time passwords (OTPs) are a common method of implementing a “something you have” factor for multi-factor authentication (MFA). These single-use codes can be implemented in a few different ways with varying levels of security.
What does OTP mean?
OTP stands for one-time password. OTPs are commonly used in multi-factor authentication (MFA) schemes to prove ownership of a particular device or account.
OTPs come in a few different forms. An OTP may be generated by a server and sent to a user’s device via email or SMS. Alternatively, the server and device may independently generate codes using a TOTP or HOTP algorithm.
What is a Timed-Based One-Time Password (TOTP)?
Before we get into the pros and cons let’s take a closer look at what a TOTP authenticator is. If you’ve been using a dedicated authenticator app such as one from Google, Microsoft, or Salesforce, you may have noticed that these apps generate a 6-digit code that resets over a set period of time. This code allows you to authenticate to various supported systems by typing in the code when prompted. These codes are generated by a standardized algorithm called time-based one-time passwords (TOTP) that’s widely used by many systems as a shared secret method of authentication.
TOTP requires that the system that generates the code and the one that receives it both use a shared key and have their clocks synchronized. Once this is done, they each calculate a matched pair of one-time codes that are valid for the duration of the set time period before they expire. The user is then asked to type the code from their authenticator app into the system they are attempting to log into. The system compares this code to the one it’s generated and if they match the user is allowed to proceed.
You may have also come across one-time passwords (OTP). The difference between TOTP and OTP? A one-time password (OTP) is randomly generated and sent to your registered number or email for authentication of a transaction or as a means to gain access into an account. Unlike a TOTP which is valid for 30-60 seconds, OTPs are usually valid for around 5-10 minutes. While a OTP is sent to you, a TOTP is generated in a mobile app.
Like every technology there are always trade-offs. Below we’ve gathered the top 3 advantages and 3 disadvantages for using a TOTP authenticator.
Pros of using TOTP
1. Can be used as a soft token
A TOTP authenticator can be embedded in both dedicated hardware tokens as well as implemented in software, typically as a mobile application such as Google Authenticator. By implementing it in software (also known as a software token) you avoid the costs associated with hardware manufacturing, distribution, inventory, and maintenance. Solutions like Transmit Security even let you brand your own TOTP authenticator augment it with other layers of security.
2, No Internet connection needed
This is probably one of the greatest advantages of TOTP. The devices that generate and accept TOTP codes can be completely offline. As long as the two devices share the same secret key and are synchronized, they can individually generate TOTP codes and compare them with one another.
3. Easy to use across applications and channels
You can use TOTP to access various types of applications and channels, such as the call center. Typically you would have a separate TOTP code between each application and the TOTP authenticator. Let’s say you use TOTP to log into 10 different systems. You can still use a single TOTP authenticator for that but the TOTP authenticator will generate 10 different codes, one per each application. You can avoid that by using a centralized authentication service such as Transmit Security that would accept a single TOTP code for all your systems and channels.
Cons of using TOTP
1. Can be phished and stolen
TOTP lacks context. You open the authenticator app, you get a code and then put it in the system that asks for it. A real-time phishing attack where the attacker impersonates a certain service website and asks for the TOTP code, allows the attacker to grab the code and then immediately use it to log into the service on the victim’s behalf. This is also true for social engineering attacks where the attacker asks the victim for the code, as well as man-in-the-middle traffic sniffing where the attacker can just read the code from the traffic.
2. Uses a shared secret
Using shared secrets is never a great security practice. It means that the service provider holds the secrets for all TOTP generators for all customers and if these secrets are stolen, the attacker can generate codes for users.
3. Device dependent
The TOTP generator is bound to the user’s device (for example mobile device or hardware token). If this device is stolen, lost, or breaks, the association between the service provider and the TOTP generator is lost and the service provider needs to re-issue a TOTP authenticator for the user. At this point, the service provider cannot rely on the TOTP generator to authenticate the user and needs to find other ways of validating the user before re-issuing the generator. Many providers would fall back to passwords and SMS codes at this point, which are a less secure mechanism than TOTP. This means that their implementation of TOTP is only as strong as passwords or SMS codes.
What is HOTP?
HOTP stands for HMAC-based OTP, where HMAC is Hash-based Message Authentication Code. In a HOTP, both the client and server use a counter to determine the next code to generate. Every time that a HOTP is generated and the user gains access to their account, the counters increment on the client and server, keeping them coordinated.
HOTP vs TOTP
TOTP and HOTP are both designed to generate a series of one-time codes on the server and on a user’s device. The main difference between them is what triggers the advance to a new code. In TOTP, a new code is generated at regular intervals based on a synchronized clock. In HOTP, new codes are generated at need when the previous code is used for authentication.
The Final Word: Is OTP\TOTP\HOTP Secure?
The security of an OTP/TOTP/HOTP scheme depends on how it is implemented. Many ways of implementing OTP – such as sending a code via SMS or email – are insecure. For example, NIST has deprecated the use of SMS-based OTP for federal systems since 2017, and email-based TOTP provides little protection if the account and email account share a password.
HOTP and TOTP are more secure, but they are still vulnerable to phishing attacks. While MFA adoption is on the rise, cybercriminals have evolved their tactics to steal these codes in various ways.
OTP-based MFA can bolster password security,
How is HOTP generated?
but a better option is to move away from passwords entirely. Passwordless authentication provides both better security and an improved user experience by eliminating the need to find and type in a one-time code for authentication.