Buy now
Blog

TOTP one-time passwords

How TOTP one-time passwords secure sensitive corporate data

Time-based one-time passwords (TOTP for short) add another component to log-in via user name and password and secure sensitive company data via two-factor authentication (2FA). But how do time-based one-time passwords actually work and what advantages does a hardware authenticator offer?

Whether it’s business applications such as Microsoft 365, PC support via Teamviewer, or remote VPN access to a company’s own network, simply entering a user name and password is no longer enough. Almost all online platforms therefore offer the option of protecting user accounts against misuse and identity theft by means of secure two-factor authentication (2FA). This variant of multi-factor authentication (MFA) uses, for example, a time-limited one-time password as a further authentication factor in addition to the user name and password.

What types of secure two-factor authentication there are

Companies can provide the additional authentication factor for secure log-in via 2FA in a wide variety of ways. In addition to one-time passwords generated by special TOTP generators or transmitted by servers via e-mail, SMS or phone call, physical tokens such as smart cards and authentication keys can also be used to secure user accounts. The following six types of two-factor authentication are widely used:

  • Email confirmation: Frequently occurring, but not particularly secure, is the transmission of an additional one-time password via email. The problem: If attackers gain access to the e-mail account, for example via malware, they also have access to the codes sent.
  • SMS confirmation or call: Here, the user receives an additional one-time password for logging in via SMS or automated calls. The problem is that Trojans can intercept the SMS on the smartphone. There is also the threat of attacks via SIM swapping.
  • Time-based one-time passwords: A TOTP authenticator generates time-limited one-time passwords for logging in. The problem: Only hardware-based TOTP authenticators do not require an Internet connection and are not vulnerable online.
  • Smartcards: Plastic cards with a security chip resemble a bank card and offer good protection against password spying. The problem is that smart cards require appropriate readers and are almost exclusively used in the enterprise sector.
  • Physical authentication keys: With this variant, the user must insert a special USB stick and press a key on it when logging in. The problem: Even much-used online services do not yet offer this method of authentication.
  • Recovery codes: Here, the user receives ten one-time passwords as back-up codes to print out. The problem: These codes are not intended for daily use, but as a back-up in case the actual two-factor authentication does not work.

The various two-factor authentication methods can also be combined. For example, in addition to using physical authentication keys such as Yubikey, companies can also enable their employees to log in with 2FA using TOTP one-time passwords. In this way, employees with a TOTP generator can still access their account even if they lose the physical key.

How time-based TOTP one-time passwords work in 2FA

Due to the security shortcomings of two-factor authentication via SMS or e-mail and the entry barriers of smart cards and physical authentication keys, corporate online platforms and most online services primarily use time-based one-time passwords (TOTP). This is a method of generating time-limited one-time passwords (OTP) based on a common and secret key (shared secret). This cryptographic method was developed by the cross-industry Initiative For Open Authentication (OATH) and published as RFC 6238 in July 2011 as part of the Internet Engineering Task Force (IETF). 

At its core, TOTP, which is free of patents as an open standard, is based on a cryptographic hash function (HMAC). This calculates a hash value from the current time and a previously agreed secret key. However, this one-time password is only valid for 30 seconds, so the sender and receiver must have sufficiently accurate clocks. So much for the theory. In practice, switching a user account to secure two-factor authentication with TOTP goes something like this:

  • Generate shared secret: The server of the online service generates a secret key with the help of a cryptographically secure random generator. This shared secret is stored on the server and is unique for each user account.
  • Setting up a TOTP authenticator: To configure a TOTP authenticator, the online service provides the user with the secret key. The data is usually transferred via QR codes that can be scanned directly with the authenticator.
  • Generate one-time password: During log-in, the user's TOTP authenticator calculates a password with six or eight characters. After submission, the server compares this password with the hash value it generated based on the shared secret.

Users usually use a software solution on their smartphone or desktop PC as a TOTP authenticator. Alternatively, a standalone hardware-based TOTP generator without an Internet connection can be used, which is much more secure, especially for corporate use.

A comparison of software and hardware solutions for TOTP passwords

Among the software solutions for TOTP passwords, Google Authenticator and Microsoft Authenticator are certainly among the best-known authenticator apps. However, there are also alternatives like Authy from Twilio or the open source applications Aegis Authenticator, andOTP as well as FreeOTP(+). Even password managers like KeePass, LastPass or 1Password now support two-factor authentication via TOTP. These applications often also work in flight mode without an existing Internet connection. Nevertheless, such software solutions harbor a residual risk. For example, the Android banking malware Cerberus, whose source code is freely available in underground forums, now also allows two-factor authentication codes to be tapped, according to Kaspersky’s security experts.

Hardware-based TOTP generators, on the other hand, offer the highest level of security for everyday corporate use. They store the secret TOTP keys in their own hardware, operate without an Internet connection and therefore cannot be attacked online. Some devices also offer integrated PIN protection. In the event of loss, this type of security function effectively protects against misuse because it only allows the authenticator to be used after the PIN has been entered. If the PIN is entered incorrectly several times, the device is usually reset to factory settings and all keys and accounts are deleted.

An important factor for all types of TOTP authenticators is their exact time of day. Depending on the implementation, online services may tolerate slight deviations in the time on the user’s TOTP authenticator. However, if the deviation is too large, the log-in fails. While apps use the Network Time Protocol (NTP) to synchronize the time over the Internet, hardware-based TOTP authenticators have sufficiently accurate clocks for calculating one-time passwords. And these can cause regular follow-up costs for companies in many cases.

Due to time deviations of the internal real-time clock, hardware solutions with built-in batteries are often only usable for two years for the provision of TOTP passwords. In contrast to many competitor products, which require a device replacement due to runtime, the REINER SCT Authenticator can be precisely synchronized again, for example, after a change of the three AAA batteries via the integrated camera. Via a patented QR camera process, the manufacturer also uses the Authenticator’s camera to change the language setting or time zone, as well as to import firmware updates with new functions and enhancements. While other hardware solutions can sometimes only be used for a single 2FA account, REINER SCT has used this method to provide a firmware update, for example, with which the device now manages 60 accounts instead of ten. This is sustainable and reduces costs in procurement and support.

More contributions