Entersekt | Resources | Encyclopedia | Time-based one-time passwords (TOTP)
What is TOTP?
A time-based one-time password (TOTP) is a temporary numeric code generated by an app or hardware token, typically valid for 30–60 seconds. It is used as a second authentication factor to strengthen login security. Unlike SMS-based OTPs, TOTPs are generated locally on the user’s device, reducing reliance on mobile networks.
Why is TOTP more secure than SMS OTP?
SMS OTPs are vulnerable to fraud techniques like SIM-swap attacks, man-in-the-middle interception, and phishing. In contrast, TOTPs are generated offline using a shared secret key and the current time, making them harder for attackers to intercept. However, TOTPs can still be phished if a user unknowingly enters the code on a fraudulent site.
How does TOTP work?
When setting up TOTP, a service provider shares a secret key with the user’s authenticator app (such as Google Authenticator or Authy). The app then uses the current time and the secret key to generate a unique code. During login, the user enters the code, which the service provider verifies against its own generated code. If they match, the user is authenticated.
Example
A customer attempts to log in to their digital banking app. After entering their username and password, they are prompted to open their authenticator app and enter a 6-digit TOTP. The code refreshes every 30 seconds, ensuring it can’t be reused if intercepted.
Additional resources:
Keywords:
TOTP | One-time password | Multi-factor authentication
What is TOTP?
A time-based one-time password (TOTP) is a temporary numeric code generated by an app or hardware token, typically valid for 30–60 seconds. It is used as a second authentication factor to strengthen login security. Unlike SMS-based OTPs, TOTPs are generated locally on the user’s device, reducing reliance on mobile networks.
Why is TOTP more secure than SMS OTP?
SMS OTPs are vulnerable to fraud techniques like SIM-swap attacks, man-in-the-middle interception, and phishing. In contrast, TOTPs are generated offline using a shared secret key and the current time, making them harder for attackers to intercept. However, TOTPs can still be phished if a user unknowingly enters the code on a fraudulent site.
How does TOTP work?
When setting up TOTP, a service provider shares a secret key with the user’s authenticator app (such as Google Authenticator or Authy). The app then uses the current time and the secret key to generate a unique code. During login, the user enters the code, which the service provider verifies against its own generated code. If they match, the user is authenticated.
Example
A customer attempts to log in to their digital banking app. After entering their username and password, they are prompted to open their authenticator app and enter a 6-digit TOTP. The code refreshes every 30 seconds, ensuring it can’t be reused if intercepted.
Additional resources:
- Blog: OTPs for customer authentication: Past their expiry date and holding banks back
- Video: The journey from OTPs to secure, seamless customer experience
Keywords:
TOTP | One-time password | Multi-factor authentication
