What is one-time-password?

In connection with the previous article about the importance of strong passwords and 2-factor authentications we felt the need to dig a little deeper into the topic of OTP (One Time Passwords), and write about time based one-time password (TOTP) and HMAC based one-time password (HOTP) algorithms. As we explained earlier, during 2-factor authentications there are 2 tokens to be provided: one we are all familiar with is the username and the password, while the other one is a secret token that is not known to the public. When it comes to the 2^nd factor of authentication mechanisms, usually OTP is used as a protective mechanism.

OTP or one-time passwords are what they say: a password, valid for only one time. This means OTP is safer than a regular password as it keeps changing itself, making it more difficult to hack them in replay attacks. Since OTP is used only once, there is no need to memorize it. Acquiring it has two main ways: in the form of hardware and software tokens.

With hardware tokens, the device that generates the OTP is plugged into a USB port and it will type in the token for you. Software tokens display the OTP somewhere for you (eg. on the screen of your mobile phone) and you can type it in from there.

OTPs have two main standards for generating them: TOTP and HOTP algorithms. HOTP algorithm relies on two aspects: a shared secret, and a counter (a moving factor). When it is in use, a hash-based message authentication code of the moving factor will be generated by using the shared secret. Whenever a new OTP is generated the moving factor will be incremented, meaning that the generated passwords will be different each time.

TOTP algorithms work similarly, relying on a shared secret and a moving factor, but it has a little difference in how it handles the moving factor. With TOTP the moving factor changes based on the time that has passed since a period. While HOTP passwords can be valid for an unlimited amount of time, TOTP passwords are limited to a short window, and they keep on changing. This means that during 2-factor authentication the user types in the code (eg. username and password) that starts requesting the 2^nd, secret token. The server verifies if its generated code matches the one that is sent to the user, and if it is valid the authentication is complete.

TOTP and HOTP are two helpful way to do 2-factor authentications. They are based on open standards, and the calculations that are needed are done entirely in a software, not requiring any other protection methods. Implementing those methods in online data storing means a safe and reliable way to reach the files both easily and safe.

I am sure all of us have experienced TOTP or HOTP based authentications before. When you try to log on to one of your accounts from a new device, and you receive a code on another device of yours, it is a form of two-factor authentication. You need to type in the code to the device you want to use to log in to your account, and sometimes there is even a time-limit for how long it is valid to type in your generated code. These codes might be a bit tiring and inconvenient, but they are for our protection, and when it is possible, always use two-factor authentication processes.

You might also be interested in:

• The importance of secure passwords and two-factor authentications

• Secure communication online

• Discussing AES-256 encryption method