Home / DeveloperSection / Blogs / How Time-based One-Time Passwords work

How Time-based One-Time Passwords work

How Time-based One-Time Passwords work

HARIDHA P101 10-Jan-2023

Upgrading the security standards of your online apps has become increasingly important due to the rise in cyber security threats. Ensure the security of the accounts belonging to your users.

These days, many online websites need users to add an additional level of security to their account. They achieve this by turning on 2-factor authentication. TOTP authentication, which uses the Time-based One-Time Password technique, is one of several ways to create two-factor authentication.

Its definition, usage, and benefits are covered in this article. Let's first quickly review the definition of two-factor authentication in order to grasp that.

Two-factor authentication: what is it?

A user's account can now have an additional layer of protection thanks to two-factor authentication (also known as multi-factor authentication). The user must complete one more step to successfully log in after enabling two factor authentication.

Currently, there are two methods that are frequently used to obtain the one-time password:

SMS-based: With this approach, each time a user logs in, a text message with a One Time Password is sent to the phone number they have on file.

TOTP-based: With this approach, the user is required to scan a QR code with a certain smartphone app, providing two-factor authentication.

The user's One Time Password is then generated repeatedly by that programme.

There is no need to explain the SMS-based approach. Although it's simple, there are a few challenges with it, like security concerns, waiting for the SMS after each login attempt, and others. Because it has advantages over the SMS-based method, the TOTP-based method is growing in popularity. So let's see how the TOTP-based approach functions.

How the TOTP-based technique operates

Let's first talk about the issues that this approach will help us with before understanding this.

We are creating a one-time password on the user side (instead of the server side) utilizing a smartphone application when we employ the TOTP approach.

Users can always access their one-time password as a result. Because of this, it stops the server from sending a text message each time a user tries to log in.

The generated password also changes after a predetermined amount of time, acting like a one-time password.

Great! Let's now examine the operation of the TOTP method and attempt to apply the proposed solution ourselves. Our requirement in this case is that the user create a password, and that password must change over time.

TOTP stands for 'Time-Based One-Time Password,' which can be understood.

The one-time password is obtained by a TOTP using the HOTP technique. The only change is that 'Time' is used instead of 'counter,' which provides the answer to our second issue.

As a result, we can use time as a counter in the HOTP method to determine the OTP rather than initializing and monitoring the counter. No one needs to keep track of the counter because both a server and a phone have access to the current time.

Additionally, we can use a Unix timestamp, which is zone-independent, to get around the issue of the server and phone having different time zones.

A Conclusion

The use of two factors for authentication is growing. It is being used by many web apps as an added layer of protection.

The TOTP approach doesn't demand much more work than the SMS-based method, in contrast. Therefore, adding this feature will benefit any application.

A passionate writer, blogger, language trainer, co-author of the book 'Irenic' and an enthusiastic learner. Interest includes travelling places and exploring.

Leave Comment


Liked By