Authentication: TOTP


Let’s make one thing perfectly clear…

TOTP ≠ OTP

  • OTP = One-Time Password
  • TOTP = Time-based One-Time Password

As discussed in the Two-Step Verification post, OTP sends the one-time password to the user’s mobile phone via SMS or to the user’s email address.

TOTP, on the other hand, uses a local app on the mobile device to generate a pass-code.

TOTP

If we look at the factors for an app using a password and TOTP code, we see that it is something you know and something you have.

TOTP-Factors

When a user registers a mobile device, they receive a key (either as a QR code or as a character string to be entered manually).  This key becomes the something you have.

TOTP-Key

That key gets stored on the mobile device and in the back-end infrastructure.

The mobile app takes uses an industry standard algorithm with the key and current time as parameters, resulting in a 6 digit code lasting for 30 seconds. The back-end infrastructure uses the same algorithm with the same key and current time, generating an identical code.

TOTP-Code

A few things to consider with TOTP:

  1. DO NOT take a screenshot of your actual QR code or key and place in a blog, PowerPoint or user manual. Because that key is the something you know, if others get it, they now have one of your authentication factors. Try for yourself. If you scan the QR code with a TOTP app from Citrix, Microsoft, Google and others, you will get a token, but that token is for a test user that no longer exists and the key was deleted from the back-end system.
  2. Because this uses a key stored on the mobile device, the mobile device does not require connectivity to obtain a key. With OTP, the user must either have SMS connectivity or access to email.

If you want to see how TOTP works in a Citrix Workspace environment, take a look at the following Tech Insight video:

Authentication Blog Series: 

Daniel (Twitter @djfeller)

One thought on “Authentication: TOTP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.