Let’s make one thing perfectly clear…
TOTP ≠ OTP
- OTP = One-Time Password
- TOTP = Time-based One-Time Password
As discussed in the Two-Step Verification post, OTP sends the one-time password to the user’s mobile phone via SMS or to the user’s email address.
TOTP, on the other hand, uses a local app on the mobile device to generate a pass-code.
If we look at the factors for an app using a password and TOTP code, we see that it is something you know and something you have.
When a user registers a mobile device, they receive a key (either as a QR code or as a character string to be entered manually). This key becomes the something you have.
That key gets stored on the mobile device and in the back-end infrastructure.
The mobile app takes uses an industry standard algorithm with the key and current time as parameters, resulting in a 6 digit code lasting for 30 seconds. The back-end infrastructure uses the same algorithm with the same key and current time, generating an identical code.
A few things to consider with TOTP:
- DO NOT take a screenshot of your actual QR code or key and place in a blog, PowerPoint or user manual. Because that key is the something you know, if others get it, they now have one of your authentication factors. Try for yourself. If you scan the QR code with a TOTP app from Citrix, Microsoft, Google and others, you will get a token, but that token is for a test user that no longer exists and the key was deleted from the back-end system.
- Because this uses a key stored on the mobile device, the mobile device does not require connectivity to obtain a key. With OTP, the user must either have SMS connectivity or access to email.
If you want to see how TOTP works in a Citrix Workspace environment, take a look at the following Tech Insight video:
Authentication Blog Series:
Daniel (Twitter @djfeller)