One-time passwords (OTPs) are a common method of implementing a “something you have” factor for multi-factor authentication (MFA).  These single-use codes can be implemented in a few different ways with varying levels of security.

What does OTP mean?

OTP stands for one-time password.  OTPs are commonly used in multi-factor authentication (MFA) schemes to prove ownership of a particular device or account.

OTPs come in a few different forms.  An OTP may be generated by a server and sent to a user’s device via email or SMS.  Alternatively, the server and device may independently generate codes using a TOTP or HOTP algorithm.

What is a Timed-Based One-Time Password (TOTP)?

Time-Based One-Time Passwords

Before we get into the pros and cons let’s take a closer look at what a TOTP authenticator is. If you’ve been using a dedicated authenticator app such as one from Google, Microsoft, or Salesforce, you may have noticed that these apps generate a 6-digit code that resets over a set period of time. This code allows you to authenticate to various supported systems by typing in the code when prompted. These codes are generated by a standardized algorithm called time-based one-time passwords (TOTP) that’s widely used by many systems as a shared secret method of authentication.

TOTP requires that the system that generates the code and the one that receives it both use a shared key and have their clocks synchronized. Once this is done, they each calculate a matched pair of one-time codes that are valid for the duration of the set time period before they expire. The user is then asked to type the code from their authenticator app into the system they are attempting to log into. The system compares this code to the one it’s generated and if they match the user is allowed to proceed.

You may have also come across one-time passwords (OTP). The difference between TOTP and OTP? A one-time password (OTP) is randomly generated and sent to your registered number or email for authentication of a transaction or as a means to gain access into an account. Unlike a TOTP which is valid for 30-60 seconds, OTPs are usually valid for around 5-10 minutes. While a OTP is sent to you, a TOTP is generated in a mobile app.

TOTP authenticator 

Like every technology there are always trade-offs. Below we’ve gathered the top 3 advantages and 3 disadvantages for using a TOTP authenticator.

Pros of using TOTP

1. Can be used as a soft token

A TOTP authenticator can be embedded in both dedicated hardware tokens as well as implemented in software, typically as a mobile application such as Google Authenticator. By implementing it in software (also known as a software token) you avoid the costs associated with hardware manufacturing, distribution, inventory, and maintenance. Solutions like Transmit Security even let you brand your own TOTP authenticator augment it with other layers of security.

2, No Internet connection needed

This is probably one of the greatest advantages of TOTP. The devices that generate and accept TOTP codes can be completely offline. As long as the two devices share the same secret key and are synchronized, they can individually generate TOTP codes and compare them with one another.

3. Easy to use across applications and channels

You can use TOTP to access various types of applications and channels, such as the call center. Typically you would have a separate TOTP code between each application and the TOTP authenticator. Let’s say you use TOTP to log into 10 different systems. You can still use a single TOTP authenticator for that but the TOTP authenticator will generate 10 different codes, one per each application. You can avoid that by using a centralized authentication service such as Transmit Security that would accept a single TOTP code for all your systems and channels.

Cons of using TOTP

1. Can be phished and stolen

TOTP lacks context. You open the authenticator app, you get a code and then put it in the system that asks for it. A real-time phishing attack where the attacker impersonates a certain service website and asks for the TOTP code, allows the attacker to grab the code and then immediately use it to log into the service on the victim’s behalf. This is also true for social engineering attacks where the attacker asks the victim for the code, as well as man-in-the-middle traffic sniffing where the attacker can just read the code from the traffic.

2. Uses a shared secret

Using shared secrets is never a great security practice. It means that the service provider holds the secrets for all TOTP generators for all customers and if these secrets are stolen, the attacker can generate codes for users.

3. Device dependent

The TOTP generator is bound to the user’s device (for example mobile device or hardware token). If this device is stolen, lost, or breaks, the association between the service provider and the TOTP generator is lost and the service provider needs to re-issue a TOTP authenticator for the user. At this point, the service provider cannot rely on the TOTP generator to authenticate the user and needs to find other ways of validating the user before re-issuing the generator. Many providers would fall back to passwords and SMS codes at this point, which are a less secure mechanism than TOTP. This means that their implementation of TOTP is only as strong as passwords or SMS codes.

What is HOTP?

What is HOTP?

HOTP stands for HMAC-based OTP, where HMAC is Hash-based Message Authentication Code.  In a HOTP, both the client and server use a counter to determine the next code to generate. Every time that a HOTP is generated and the user gains access to their account, the counters increment on the client and server, keeping them coordinated.

HOTP vs TOTP

TOTP and HOTP are both designed to generate a series of one-time codes on the server and on a user’s device.  The main difference between them is what triggers the advance to a new code. In TOTP, a new code is generated at regular intervals based on a synchronized clock. In HOTP, new codes are generated at need when the previous code is used for authentication.

HOTP vs TOTP 

The Final Word: Is OTP\TOTP\HOTP Secure?

The security of an OTP/TOTP/HOTP scheme depends on how it is implemented.  Many ways of implementing OTP – such as sending a code via SMS or email – are insecure. For example, NIST has deprecated the use of SMS-based OTP for federal systems since 2017, and email-based TOTP provides little protection if the account and email account share a password.

HOTP and TOTP are more secure, but they are still vulnerable to phishing attacks. While MFA adoption is on the rise, cybercriminals have evolved their tactics to steal these codes in various ways.

OTP-based MFA can bolster password security,

How is HOTP generated?

but a better option is to move away from passwords entirely.  Passwordless authentication provides both better security and an improved user experience by eliminating the need to find and type in a one-time code for authentication.

One-time passwords (OTPs) are single-use codes for user authentication, and time-based OTPs are a type of OTP.  Typically, OTPs are generated by a server and sent to a user via SMS or email, while TOTPs are independently generated on a server and the user’s device.  This makes TOTP more secure than OTP.

Authenticator apps like Google Authenticator and Authy use TOTP.  During the setup process, the device and server agree on a shared secret, which is then used to generate new codes at certain intervals.

One-time passwords (OTPs) prove access to a trusted device or account because the code is sent to or generated on that device.  By entering in the correct code to a website, the user proves that they have access to that device as part of a multi-factor authentication (MFA) scheme.

One-time passwords (OTPs) fall into the “something you have” category of multi-factor authentication (MFA).  This is because the OTP is sent to or generated by a trusted device.

HMAC-based one-time passwords (HOTPs) are generated by a client and server every time that the user authenticates to a website.  The client and server are synchronized so that they always generate the same codes at the same time.  The user can prove access to a trusted device by entering the correct code into a server.

HMAC-based one-time passwords (HOTP) begin with a shared secret established by the client and server during the setup process.  Using this shared secret, the client and server can then generate single-use authentication tokens each time that a user logs into their account.

HMAC-based one-time password (HOTP) protocols establish a shared secret between the client and server as part of the setup process.  Using this shared secret, the client and server can use an algorithm to generate a series of single-use codes.  Each time that the user logs into their account, the client and server generate the next code in the sequence.

An HMAC-based one-time password (HOTP) is a single-use authentication code.  When logging in to an online account, a user will enter the code generated on their device as part of the authentication process.

Time-based one-time passwords (TOTPs) enable a user to prove ownership of a device as a “something you have” factor for multi-factor authentication (MFA).  The client and server are synchronized so that a code generated by a trusted device and entered into a site by a user can be verified by the server.

The time-based one-time password (TOTP) protocol has undergone extensive security review and is secure.  The main threat to TOTP security is if a user is tricked into giving a TOTP code to an attacker.

Time-based one-time password (TOTP) and HMAC-based one-time password (HOTP) have equivalent levels of security.  The primary difference is when the two protocols generate new codes.  TOTP codes expire after a certain period of time, while HOTP codes are regenerated after each successful login to an account.

Learn More About Transmit Security