A Primer to Time Based One Time Passwords

3 minutes read | 446 words

Aaruni Kaushik

One Time Password

A One Time Password (OTP) is, as the name suggests, a single use password. It is most frequently used as a second factor in a 2 Factor Authentication scheme. It provides the “something you have” factor: the device providing the password.

Time based One Time Password

A Time based One Time Password (TOTP) is a One Time Password which uses the current time to generate the One Time Password. This means that TOTPs do not need a working network connection, and can still make a valid OTP on demand. Mathematically, a TOTP is just a function which takes two inputs, a seed, and the time. If the seed is shared ahead of time, as a pre shared secret, TOTP can be, and is used, as a complete and secure replacement for classical forms of OTP.

Visual Representation of TOTP

Typical Workflow

Let’s say your bank allows the use of TOTPs instead of regular SMS OTPs to authorise online transactions, and you want to start using this new and secure form of multi factor authorisation.

You would need to download a trusted 2FA app on your Android phone, and use it to scan QR code which your bank shares with you, containing the secret seed for the TOTP. Once scanned, your phone will begin to generate a numeric TOTP which refreshes automatically every 30 seconds, which your bank can verify as valid. Then, when you try to pay for an online transaction, when the website asks for an OTP, instead of waiting for an SMS to arrive, you simply open the 2FA app, and type the code which is currently displayed on the screen. If the code refreshes (because 30 seconds have elapsed), then just enter the new code.

Simple Example

As a simple example, lets try to implement TOTP validation. It is simple enough that it can be embedded straight in this blog post. Follow the step by step process to validate your first TOTP:

  1. Open your 2FA app (Aegis is an excellent 2FA app)
  2. Choose the “Add” option (bottom right on Aegis)
  3. Scan the QR code (this is your pre-shared secret), and save the resulting information
  4. Test your TOTP by typing it down below. If you see a “party” emote ( 🎉 ), you got it right!

QR for Demo TOTP

TOTP Demo

In Conclusion

TOTPs are a simple and safe way to secure your accounts and logins with 2FA. They are easy enough that they can be quickly implemented in a blog, and are also easy to use by scanning one QR code per account that you want to secure. To verify, you just check your 2FA app for a code instead of your SMS app for a code!