Fact-checked by Grok 2 weeks ago

Time-based one-time password

A time-based one-time password (TOTP) is a temporary passcode generated using a cryptographic algorithm that combines a shared secret key with the current time to produce a unique, short-lived code, typically 6 to 8 digits long and valid for a brief period such as 30 seconds.^[1] This approach extends the HMAC-based one-time password (HOTP) algorithm defined in RFC 4226 by replacing the event counter with a time-based counter, calculated as the floor of the difference between the current Unix time and a reference time divided by a predefined time step (default 30 seconds).^[1] Standardized by the Internet Engineering Task Force (IETF) in RFC 6238 and published in May 2011, TOTP provides a secure method for generating one-time passwords without requiring direct synchronization between the client and server beyond the shared secret and synchronized clocks.^[1] TOTP emerged from the Initiative for Open Authentication (OATH), an industry collaboration founded in the mid-2000s to develop open standards for strong authentication across devices and networks, aiming to promote interoperability and reduce reliance on proprietary systems.^[2] Building on HOTP's event-based model introduced in 2005, TOTP addressed limitations like the need for counter synchronization by leveraging time as a dynamic factor, making it suitable for software-based implementations on mobile devices and hardware tokens.^[3] The OATH framework, which includes both HOTP and TOTP, has been adopted globally to support standardized two-factor authentication (2FA) mechanisms. In practice, TOTP is widely deployed in 2FA systems, where users enter the generated code alongside a primary credential like a password to verify identity.^[4] Authenticator applications, such as those compatible with OATH standards, compute the code locally using the device's clock and the provisioned secret key, while servers independently generate and validate the expected value within a small tolerance for clock drift (e.g., ±1 time step).^[1] This method enhances security against replay attacks since codes expire quickly and cannot be reused, and it avoids vulnerabilities associated with SMS-based OTPs, such as interception via network exploits.^[5] The algorithm's security relies on the HMAC-SHA1 (or stronger hashes like SHA256 in extensions) pseudorandom function to produce the HOTP value, truncated and represented in decimal, ensuring resistance to brute-force attacks within the short validity window.^[1] TOTP's design supports various digit lengths and hash functions, allowing flexibility for different security levels, and it is referenced in federal guidelines like NIST SP 800-63B as a recommended authenticator for remote identity proofing and authentication.^[5] Despite its strengths, implementations must address potential issues like time desynchronization or secret key compromise through secure provisioning protocols.^[1]

Introduction and Fundamentals

Definition and Purpose

A time-based one-time password (TOTP) is a temporary passcode generated using a shared secret key between the user and the authentication server, combined with the current time as a source of uniqueness, and is typically valid for a short interval of 30 seconds.^[1] This approach ensures that each passcode is dynamic and expires quickly, preventing reuse even if intercepted.^[6] The primary purpose of TOTP is to strengthen two-factor authentication (2FA) systems by adding a second layer of verification beyond static passwords or usernames, thereby reducing the risk of unauthorized access through credential theft.^[6] In 2FA workflows, users enter their regular credentials followed by the current TOTP code, which the server independently generates and validates using the same shared key and time reference, confirming the user's possession of an authorized device or token.^[1] TOTP serves as a time-variant alternative to event-based methods like HOTP, leveraging predictable time progression for code generation.^[1] Common applications include securing online banking logins, where users generate a TOTP code via a mobile app to authorize transactions, or email services like Gmail, which require it to access accounts and prevent phishing-induced breaches.^[7] By design, TOTP enhances user identity verification in these scenarios without relying on network connectivity for code delivery, promoting both security and convenience.^[6]

Comparison to Other OTP Methods

One-time passwords (OTPs) represent a class of authentication mechanisms where a unique, short-lived code is generated for each login attempt, enhancing security beyond static passwords by preventing replay attacks. These codes are typically derived from a shared secret between the client and server, ensuring that only authorized parties can validate them.^[3] A primary counterpart to TOTP is the HMAC-based one-time password (HOTP), which relies on an incrementing counter as its moving factor rather than time. In HOTP, both the authenticator and verifier maintain synchronized counters that advance with each successful authentication event, but this can lead to desynchronization if counters diverge due to failed attempts, network issues, or multiple devices. TOTP, by contrast, simplifies synchronization by using the current time as the dynamic input, divided into fixed intervals (commonly 30 seconds), eliminating the need to track individual events.^[3]^[1] The event-based approach of HOTP offers flexibility in offline scenarios since codes do not expire until used, but it requires careful management to resynchronize counters, often through a validation window that accepts a range of counter values. TOTP's time-based regeneration provides advantages such as automatic expiration without user intervention, reducing the risk of code reuse from desynchronization, and enabling predictable code lifecycles that align with user expectations. However, TOTP introduces challenges related to clock drift or skew between devices, necessitating a tolerance window (typically ±1 interval) during validation to accommodate minor discrepancies.^[8] Beyond counter- and time-based cryptographic methods, other OTP variants include out-of-band deliveries like SMS-based codes, which transmit the OTP via cellular networks rather than computing it locally. TOTP offers superior security over SMS OTPs due to its reliance on a pre-shared secret and HMAC computation, avoiding vulnerabilities such as interception through SS7 protocol flaws or SIM swapping attacks. Similarly, push notification systems prompt device approval without generating OTPs, providing possession-based proof but lacking TOTP's self-contained cryptographic verification.^[9]^[1]

Technical Mechanism

Core Algorithm

The time-based one-time password (TOTP) algorithm builds upon the HMAC-based one-time password (HOTP) mechanism defined in RFC 4226, requiring a shared secret key K between the client and server, typically a random binary string of at least 128 bits for security.^[10] This key serves as the cryptographic foundation, and the algorithm employs a hash-based message authentication code (HMAC) function, with SHA-1 as the default hashing algorithm, though SHA-256 and SHA-512 variants are supported for enhanced security.^[11] The generation process begins by computing a time-based counter C from the current Unix time, which represents seconds since the epoch (January 1, 1970, 00:00 UTC). Specifically,

C = \lfloor (\text{[UnixTime](/page/Unix_time)} - T_0) / X \rfloor

, where UnixTime is the current Unix time, T_0 is the reference time offset (default 0), and X is the time step in seconds (default 30).^[8] This counter C replaces the incrementing event counter in HOTP, ensuring time-synchronized uniqueness. The TOTP value is then derived as \text{TOTP}(K, C) = \text{HOTP}(K, C), where HOTP computes \text{DT}(\text{HMAC-SHA-1}(K, C)), with DT denoting the dynamic truncation function.^[12] The dynamic truncation in HOTP extracts a 4-byte (31-bit) value from the 20-byte HMAC-SHA-1 output as follows: Let S be the HMAC result treated as a 20-byte string Sbits = S_0 || S_1 || \dots || S_{19}, where S_j are bytes. The offset is o = S_{19} \& 0xF, and the truncated value is d = (((S_o \& 0x7F) \ll 24) | (S_{o+1} \ll 16) | (S_{o+2} \ll 8) | S_{o+3}) \mod 10^D, where D is the number of digits (typically 6). This yields a decimal string of D digits, usually 6 to 8, representing the one-time password valid for the duration of the time step.^[13] For validation, the server independently computes the expected TOTP using the same shared key K and its local time to derive C, then compares the submitted code against the generated value. To accommodate minor clock desynchronizations, the server typically checks the current time step and the immediately previous one (i.e., C and C-1) to account for transmission delays, as recommended in RFC 6238.^[8] Implementations may support configurable digit lengths from 6 to 8 and alternative HMAC hash functions (SHA-256 or SHA-512) as specified in the algorithm parameters, allowing flexibility while maintaining interoperability.^[14]

Time Handling and Synchronization

In TOTP systems, time is derived from Unix epoch time, defined as the number of non-leap seconds elapsed since 00:00:00 UTC on Thursday, January 1, 1970, providing a universal reference independent of local timezones.^[1] This absolute timescale ensures consistency between client devices and authentication servers, as both compute the current time counter C using the formula C = \lfloor (\text{UnixTime} - T_0) / X \rfloor, where T_0 is typically 0 (the epoch start) and X is the time step size.^[1] The time step mechanics discretize continuous time into fixed intervals to generate unique counters for each OTP, with a default interval of 30 seconds as specified in the standard; this avoids vulnerabilities associated with real-time precision and limits the OTP validity period to enhance security.^[1] By flooring the elapsed time against this interval, the system produces the same OTP throughout each step but refreshes it at the boundary, balancing usability with resistance to replay attacks.^[1] Synchronization challenges arise from clock drift in hardware or software clocks, transmission delays in code submission, and potential misconfigurations in timezone handling, which can lead to mismatched counters and validation failures even if the shared secret is correct.^[1] For instance, a clock drift of 30 seconds or more may shift the computed counter value by an entire step, rendering a valid OTP invalid on the server side.^[15] To address these, TOTP implementations employ tolerance windows during validation, typically checking the submitted OTP against the current time step as well as the immediately previous one (e.g., creating an acceptance window of up to 60 seconds for a 30-second step) to accommodate minor drifts.^[1] Initial synchronization occurs during device provisioning, where the shared secret is established at a known epoch-aligned time, while ongoing adjustments are limited—such as capping tolerance to one step backward—to prevent exploitation through deliberate time manipulation.^[1] Edge cases like leap seconds and daylight saving time (DST) adjustments are generally ignored in TOTP for simplicity and consistency, as Unix time treats every day as exactly 86,400 seconds without incorporating leap seconds, ensuring uniform counter progression across systems.^[1] This approach prioritizes reliability over astronomical precision, though implementations must ensure all parties use UTC to avoid DST-induced offsets.^[1] Implementations must use at least 64-bit unsigned integers for the counter value, as it may exceed 32 bits after January 19, 2038 (the Unix epoch overflow issue).^[8]

Standards and Adoption

Key Specifications

The Time-based One-Time Password (TOTP) algorithm is formally defined in RFC 6238, published by the Internet Engineering Task Force (IETF) in May 2011, which establishes TOTP as a time-based extension and profile of the HMAC-based One-Time Password (HOTP) algorithm specified in RFC 4226.^[1]^[3] This standard replaces the event counter in HOTP with a time-based counter derived from the current Unix time, ensuring synchronized password generation across client and server without requiring counter synchronization.^[1] Key requirements in RFC 6238 include the use of HMAC-SHA-1 as the mandatory cryptographic hash function, with HMAC-SHA-256 and HMAC-SHA-512 supported as optional alternatives to enhance security.^[1] The default time step size, which determines the validity window for each OTP, is 30 seconds, though implementations may adjust this within limits to balance usability and security.^[1] The generated OTP length defaults to 6 decimal digits for compatibility, but support for 8 digits is required to accommodate varying security needs.^[1] Provisioning of shared secrets often employs the otpauth:// URI scheme, a de facto standard originating from Google Authenticator that encodes parameters like algorithm, digits, and period for QR code-based enrollment.^[16] TOTP operates within the broader OATH (Initiative for Open Authentication) framework, an industry collaboration promoting interoperable strong authentication standards based on open protocols like HOTP and TOTP.^[17] In modern systems, TOTP is often used alongside FIDO2 and WebAuthn in multi-factor authentication, serving as a software-based option complementary to hardware-bound public-key credentials. Compliance with these specifications emphasizes interoperability testing to ensure cross-vendor compatibility, as outlined in OATH guidelines, alongside secure handling of shared secrets through encryption for storage and secure protocols like TLS for transmission. Evolution of the standards includes alignments with NIST guidelines for federal systems, maintaining backward compatibility while addressing cryptographic advancements.^[5]

Implementation Guidelines

Implementing TOTP systems requires careful attention to secure provisioning of shared secrets between the authenticator and verifier to prevent interception or compromise. The recommended method involves generating a random secret key and encoding it in an otpauth URI format, which is then presented as a QR code for scanning by the user's authenticator application, ensuring a direct and tamper-resistant exchange without network transmission.^[18] Out-of-band methods, such as in-person delivery or secure hardware tokens, can also be used for high-security environments to further minimize exposure. Transmission of secrets via email or other insecure channels must be strictly avoided, as these methods are vulnerable to interception and do not provide adequate protection for cryptographic material.^[19]^[20] Per NIST SP 800-63B (as updated in 2024 drafts), TOTP is approved for authentication assurance levels AAL1 and AAL2 but not phishing-resistant AAL3, and OTP delivery must occur via a separate channel excluding email or VoIP.^[21] For development, developers should utilize vetted open-source libraries that implement the TOTP algorithm in compliance with RFC 6238, such as PyOTP for Python applications, which supports secret provisioning and code generation.^[22] In Java environments, libraries like GoogleAuth provide reliable server-side TOTP functionality, including validation routines.^[23] All implementations must be rigorously tested against the official test vectors outlined in RFC 6238 to verify correctness in code generation and verification across various time steps and secret lengths.^[24] Configuration of TOTP systems should prioritize robustness by enforcing standard 30-second time steps to limit the validity window of each code, reducing the opportunity for replay attacks.^[1] Rate limiting on verification attempts, such as allowing no more than three tries per time step with exponential backoff, helps mitigate brute-force risks without overly burdening legitimate users.^[25] Provisioning backup codes—sets of single-use, pre-generated recovery tokens—during initial setup allows users to regain access if their primary authenticator is lost, and these should be stored securely offline by the user.^[26] Integration with multi-factor authentication frameworks enables TOTP as one component among others, such as biometrics, for layered security. To ensure interoperability across devices and services, implementations must adhere to the OATH TOTP profile, which builds on RFC 6238 and promotes standardized parameters like 6- or 8-digit codes and SHA-1 hashing (with options for stronger alternatives).^[4] Compliance facilitates seamless operation with diverse authenticator apps and verifiers, avoiding vendor lock-in. For key management, systems should support rotation through secure reseeding without requiring full device resets, using out-of-band confirmation to synchronize new secrets while preserving access for existing sessions. Recovery mechanisms, such as time-window tolerance for slight clock drifts, further enhance usability without compromising security. As of 2025, with NIST's ongoing phase-out of SHA-1 recommending deprecation by 2030, TOTP implementations should transition to quantum-resistant alternatives like HMAC-SHA-256 to maintain long-term integrity against emerging threats, including those from quantum computing.^[27]^[28] This upgrade aligns with RFC 6238's allowance for multiple hash functions and ensures future-proofing without altering core time-based mechanics.^[1]

Applications and Implementations

Common Use Cases

Time-based one-time passwords (TOTP) are widely deployed as a core component of two-factor authentication (2FA) for consumer and enterprise web services, enhancing login security beyond static passwords. Major providers such as Google integrate TOTP into their 2-Step Verification process, where users generate short-lived codes via mobile authenticator apps to access Gmail, Drive, and other services. Similarly, Microsoft employs TOTP for multi-factor authentication in personal accounts and Microsoft Entra ID, requiring app-generated codes for email, OneDrive, and cloud applications. Beyond general web logins, TOTP secures virtual private network (VPN) access, enabling remote workers to authenticate to corporate networks using time-synced tokens from hardware or software authenticators. In the cryptocurrency domain, TOTP serves as 2FA for exchanges like Coinbase and Binance, protecting users during transactions and account recoveries against unauthorized access.^[29] In enterprise environments, TOTP integrates seamlessly with single sign-on (SSO) systems to streamline secure access for employees across multiple applications. Platforms like Okta incorporate TOTP as an MFA option within their SSO framework, allowing organizations to enforce policy-based authentication for SaaS tools and internal systems. Microsoft Azure Active Directory (now Entra ID) similarly supports TOTP for conditional access policies, verifying user identity during employee logins to productivity suites and databases. This adoption aids compliance with regulatory standards; for instance, TOTP-enabled MFA helps meet Payment Card Industry Data Security Standard (PCI-DSS) requirements for protecting cardholder data in financial transactions, as validated by Okta's compliance certifications. It also supports General Data Protection Regulation (GDPR) mandates for robust access controls in handling personal data across European operations.^[30] For everyday consumers, TOTP is embedded in mobile applications that generate codes for routine online activities, offering a convenient layer of protection without relying on network connectivity. Users of Gmail, for example, enable TOTP through Google's Authenticator app or compatible alternatives to secure email access on Android and iOS devices. Social media platforms like Facebook and X (formerly Twitter) leverage TOTP for 2FA, prompting users to enter app-produced codes during login attempts from new devices. In e-commerce, services such as Amazon and Shopify stores utilize TOTP to safeguard account logins and high-value purchases, reducing fraud in online shopping sessions. As of 2025, TOTP is increasingly combined with biometrics in passwordless authentication flows, serving as a fallback or hybrid second factor in systems like FIDO2-enabled logins for seamless user experiences. In these contexts, TOTP's design offers key advantages, including a significant reduction in phishing susceptibility compared to SMS-based one-time passwords, as codes are generated locally and expire within seconds, thwarting interception attempts.^[31] It also supports offline code generation, allowing authentication in low-connectivity scenarios while maintaining synchronization with server clocks for reliability.^[26]

Software and Hardware Examples

Time-based one-time passwords (TOTP) are implemented across various software and hardware solutions, enabling secure two-factor authentication in diverse environments. Prominent mobile applications include Google Authenticator, an Android and iOS app that generates six-digit TOTP codes refreshing every 30 seconds and supports provisioning via QR code scanning for easy setup with services like Google accounts. Authy, another widely used app for Android and iOS, offers cloud-based synchronization across multiple devices, allowing seamless code generation and backup without manual transfers, while supporting TOTP standards for compatibility with numerous online services. Microsoft Authenticator integrates TOTP generation with Azure Active Directory, providing passwordless sign-ins and cloud backups, and is optimized for enterprise use in Microsoft ecosystems like Office 365. Open-source alternatives emphasize accessibility and customization. FreeOTP, available on F-Droid and maintained by the Fedora Project, is a lightweight Android app that supports TOTP token addition via QR codes and focuses on privacy without telemetry.^[32] For command-line users, oathtool from the OATH Toolkit suite serves as a Linux CLI tool to generate and verify TOTP codes from shared secrets, suitable for scripting in server environments. Developers can leverage libraries such as pyotp, a Python package for creating and validating TOTP tokens in applications, or speakeasy, a Node.js module that implements TOTP generation compatible with Google Authenticator.^[22] Hardware tokens provide physical security for TOTP deployment. YubiKey devices, such as the YubiKey 5 series, include an OATH-TOTP mode that stores multiple seeds and generates codes via USB, NFC, or Lightning connections, often combined with FIDO2 for broader authentication support. Nitrokey hardware, like the Nitrokey 3A, supports TOTP through its open-source firmware, allowing seed storage and code display on the device for offline use in high-security setups. Dedicated OTP devices from Feitian, such as the ePass FIDO+ series, comply with OATH-TOTP algorithms and feature built-in clocks for 60-second interval codes, designed for enterprise networks without requiring software installation. On the server side, TOTP validation occurs through specialized software. privacyIDEA is an open-source multi-factor authentication server that manages TOTP tokens, supports enrollment via otpauth URIs, and integrates with identity providers for scalable deployment. Commercial solutions like Duo Security offer TOTP as part of their MFA platform, enabling push notifications alongside code verification and seamless integration with RADIUS protocols for legacy systems like VPNs.^[33] By 2025, TOTP adoption trends favor software applications over hardware tokens due to their convenience, lower cost, and features like automated backups and multi-device syncing, though hardware remains essential for air-gapped or high-assurance environments.^[34]

Security Considerations

Strengths and Vulnerabilities

Time-based one-time passwords (TOTP) offer several security advantages rooted in their design. The time-limited validity of TOTP codes, typically 30 seconds, provides resistance to replay attacks, as intercepted codes expire quickly and cannot be reused after the time window closes.^[1] Additionally, TOTP codes are generated offline on the user's device using a shared secret key and the current time, eliminating the need to transmit the code over a network during authentication and thereby reducing exposure to man-in-the-middle (MITM) interception risks.^[21] The underlying HMAC-based algorithm ensures cryptographic integrity by producing a message authentication code that verifies both the authenticity and integrity of the generated password, leveraging the security properties of HMAC with hash functions like SHA-1 or stronger variants.^[1] Despite these strengths, TOTP has notable vulnerabilities. Adversaries with access to the client device can exploit insecure device clocks by manipulating the time to perform forward-replay attacks, advancing the clock to generate and record future TOTP codes for later replay when the server time aligns, allowing unauthorized access.^[35] A 2023 research paper demonstrated this attack on popular authenticator apps like Google Authenticator without needing the secret key or root access. Compromise of the shared secret key during provisioning poses a significant risk, particularly when keys are transmitted via QR codes that can be intercepted or photographed, enabling an attacker to replicate the TOTP generator indefinitely.^[36] The standard 6-digit code length, combined with validation windows that may span multiple time steps (e.g., ±1 minute), makes TOTP susceptible to brute-force attacks, where an attacker could guess codes at a rate sufficient to succeed within the effective timeframe if rate limiting is absent.^[37] For example, the 2024 AuthQuake vulnerability in Microsoft Azure MFA exploited absent rate limiting and a 3-minute window, enabling brute-force bypass with over 50% success probability after repeated attempts.^[38] Specific attack vectors further highlight TOTP's limitations. Shoulder surfing remains a concern for software-based TOTP implementations, where an observer can visually capture the short-lived code displayed on a device screen.^[39] SIM swapping can indirectly impact TOTP when combined with phone-based authentication flows, such as during initial setup or recovery, by allowing attackers to intercept related SMS notifications or hijack device access.^[40] Emerging quantum threats target the SHA-1 hash function commonly used in legacy TOTP deployments, as quantum algorithms like Grover's could reduce the effective security margin, prompting a phase-out in favor of SHA-256 or higher.^[41] In comparative terms, TOTP provides stronger protection against interception than SMS-based one-time passwords, as codes are generated locally without relying on cellular networks vulnerable to eavesdropping or SS7 exploits.^[42] However, it is generally weaker than hardware security keys (e.g., FIDO2/U2F tokens), which resist physical theft through tamper-resistant designs and offer phishing resistance via public-key cryptography, unlike TOTP's reliance on a replicable software secret.^[43]

Mitigation Strategies

To mitigate risks such as key compromise in TOTP systems, provisioning of shared secrets should occur over encrypted channels to prevent interception during initial setup. Server-side storage of these keys requires hardware security modules (HSMs) that comply with standards like FIPS 140 to ensure tamper-resistant protection and isolation from unauthorized access.^[5] Additionally, implementing regular key rotation—such as annually or upon detection of potential exposure—limits the impact of any breach by reducing the lifespan of compromised secrets.^[44] Time-related vulnerabilities can be addressed through strict validation windows, typically limited to a single 30-second step to minimize the opportunity for replay attacks. Client devices and servers should synchronize clocks using Network Time Protocol (NTP) to maintain accuracy within a few seconds, with servers configured to trusted NTP sources for redundancy.^[26] To counter forward-replay attacks, authenticator apps should implement protections against unauthorized clock changes, such as requiring elevated permissions or using secure time sources. Rate limiting on authentication attempts, such as capping failed TOTP submissions at 3-5 per minute per account, further prevents brute-force exploitation of time windows.^[7] User education plays a critical role in enhancing TOTP security; individuals should be advised never to share generated codes, as they provide direct access equivalent to a password.^[45] Promoting the use of authenticator apps secured with device-level protections like PINs, app-specific locks, or biometrics reduces risks from device theft or malware.^[46] During initial setup, generating and securely storing a limited set of backup codes—printed or saved in a password manager—ensures recovery without compromising the primary secret.^[7] Advanced layered approaches include integrating TOTP with risk-based authentication, where factors like device fingerprinting (e.g., analyzing browser attributes or IP geolocation) trigger elevated scrutiny for anomalous logins.^[47] Organizations may migrate to longer TOTP codes (e.g., 8 digits instead of 6) or stronger hash functions like SHA-256 or SHA-512 to increase resistance against guessing attacks, as permitted by the underlying standard. Monitoring for anomalies, such as frequent resynchronization requests that could indicate tampering, enables proactive suspension of suspicious accounts.^[48] Adherence to regulatory frameworks strengthens overall deployment; NIST SP 800-63B (Revision 4, 2025) designates TOTP as an approved multi-factor authenticator for Authenticator Assurance Level 2 (AAL2), emphasizing secure key management and verifier protections.^[49]

Historical Development

Origins and Evolution

The roots of time-based one-time passwords (TOTP) lie in the mid-1980s development of dynamic password systems, with RSA Laboratories introducing the SecurID token as an early example of time-based hardware authentication devices. These tokens generated pseudorandom codes synchronized to a shared clock, marking a shift from vulnerable static passwords by ensuring codes expired quickly and resisted replay attacks.^[50]^[51] By the 1990s, the proliferation of internet-based remote access drove further evolution from static to dynamic passwords, as enterprises adopted OTPs to secure network logins and mitigate risks from password theft or guessing. Proprietary solutions like RSA SecurID and similar tokens from vendors such as Vasco became standard in corporate and financial sectors, emphasizing time-sensitive codes over reusable credentials.^[52] In response to fragmented proprietary systems, the Initiative for Open Authentication (OATH) was established in 2004 by VeriSign, Nokia, ActivCard, and other industry leaders to create interoperable open standards for strong authentication, including OTP frameworks. This effort produced HOTP (HMAC-based one-time password) as an initial counter-based algorithm in 2005, published as IETF RFC 4226, which influenced subsequent time-based variants by standardizing secure hash generation.^[53]^[3]^[54] Pre-TOTP developments highlighted the industry's preference for time-based mechanisms over counter-based ones like HOTP, primarily to eliminate synchronization challenges in environments with unreliable event tracking, such as banking prototypes using physical tokens for transaction approval. These prototypes addressed desynchronization risks—where counters could drift due to missed events or network delays—by leveraging universally available time as the dynamic factor.^[55]^[56] Contributions from IETF working groups played a pivotal role, building on foundational challenge-response systems like S/KEY, developed by Bellcore in 1989 and formalized in RFC 1760 in 1995, which introduced one-way hash chains for password generation without transmitting secrets. The IETF's OTP working group extended this legacy by promoting standardized one-time password technologies to enhance remote authentication security.^[57]^[58] Prior to 2011, reliance on proprietary OTP implementations from vendors like RSA and others created widespread interoperability barriers, as devices and servers from different providers often failed to communicate seamlessly, complicating deployment in multi-vendor ecosystems. Open standards initiatives like OATH directly tackled these gaps by fostering collaborative specifications that enabled cross-compatible authentication without vendor lock-in.^[59]^[60]

Milestones in Standardization

The standardization of time-based one-time passwords (TOTP) built upon earlier work in one-time password algorithms, beginning with the publication of RFC 4226 in December 2005, which defined the HMAC-based one-time password (HOTP) algorithm as an event-counter-based method for generating OTPs. This foundational specification, developed by an industry consortium including OATH (Initiative for Open Authentication), established key cryptographic primitives like HMAC-SHA-1 that would later underpin TOTP, enabling the transition from challenge-response systems to more scalable, shared-secret-based authentication. A pivotal milestone occurred in May 2011 with the IETF's publication of RFC 6238, which formalized TOTP as a time-synchronized extension of HOTP, authored by David M'Raihi, Johan Rydell, Mingliang Pei, and Salah Machani. This standard introduced a 30-second time-step counter derived from Unix time, divided by the interval, to produce unique OTPs without requiring event synchronization, thereby promoting interoperability across vendors and devices. The RFC's emphasis on using the same HMAC-SHA-1 function as HOTP facilitated immediate adoption in software authenticators. The 2010s saw rapid integration of TOTP into major online services, exemplified by Google's launch of the Google Authenticator app in September 2010, which supported TOTP for two-factor authentication across Gmail and other accounts.^[61] Facebook followed in 2011 by introducing two-factor authentication, with subsequent support for TOTP-compatible apps enhancing its security features.^[62] Concurrently, the OATH initiative launched its certification program in February 2011 to validate compliant hardware and software implementations, ensuring ecosystem-wide reliability.^[63] Subsequent updates addressed evolving needs, including errata published for RFC 4226 to clarify validation windows and counter handling, improving robustness against desynchronization. Additionally, NIST's December 2022 announcement deprecated SHA-1 for cryptographic use by 2030, prompting recommendations to migrate TOTP implementations to SHA-256 or stronger hashes to counter collision vulnerabilities.^[27] Globally, TOTP's standardization influenced regulatory mandates, such as the EU's PSD2 directive effective September 2019, which requires strong customer authentication for electronic payments and recognizes TOTP as a compliant method under its possession and knowledge factors. Post-RFC 6238, open-source adoption surged, with libraries like the Google Authenticator open-source implementation and tools such as oathtool enabling widespread developer integration.^[64]

References

[1]
RFC 6238 - TOTP: Time-Based One-Time Password Algorithm
This document describes an extension of the One-Time Password (OTP) algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm, as defined in RFC 4226.
[2]
About Oath | Open Authentication
OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks.
[3]
RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm
This document describes an algorithm to generate one-time password values, based on Hashed Message Authentication Code (HMAC).
[4]
Authentication methods in Microsoft Entra ID - OATH tokens
Mar 4, 2025 · OATH time-based one-time password (TOTP) is an open standard that specifies how one-time password (OTP) codes are generated.Missing: history | Show results with:history
[5]
[PDF] Digital Identity Guidelines: Authentication and Lifecycle Management
Jul 24, 2025 · the cost-effective security and privacy of other than national security-related information in federal ... [RFC 6238] IETF, TOTP: Time ...
[6]
What is a Time-based One-time Password (TOTP)? - Twilio
The TOTP algorithm follows an open standard documented in RFC 6238 . The inputs include a shared secret key and the system time. The diagram below shows how ...
[7]
Time-Based OneTime Password (TOTP) - Entro Security
A common example of TOTP is its implementation in applications like password managers, online banking platforms, and corporate VPNs. When you log into such ...
[8]
https://datatracker.ietf.org/doc/html/rfc6238#section-5.2
[9]
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
[10]
https://datatracker.ietf.org/doc/html/rfc6238#section-4
[11]
https://datatracker.ietf.org/doc/html/rfc6238#section-5.3
[12]
https://datatracker.ietf.org/doc/html/rfc6238#section-5.1
[13]
https://datatracker.ietf.org/doc/html/rfc6238#section-5.4
[14]
https://datatracker.ietf.org/doc/html/rfc6238#section-6
[15]
NIST Special Publication 800-63B
in either direction — of the authenticator over its ...
[16]
Key Uri Format · google/google-authenticator Wiki - GitHub
OPTIONAL only if type is totp : The period parameter defines a period that a TOTP code will be valid for, in seconds. The default value is 30.
[17]
Open Authentication (OATH)
OATH is an industry-wide collaboration to develop an open reference architecture by leveraging existing open standards for the universal adoption of strong ...
[18]
https://pyauth.github.io/pyotp/
[19]
PyOTP documentation - GitHub Pages
Users can set up auth tokens in their apps easily by using their phone camera to scan otpauth:// QR codes provided by PyOTP. Implementers should read and follow ...<|separator|>
[20]
What Is a Time-Based One-Time Password (TOTP)? | Proofpoint US
Mistakes to Avoid When Implementing TOTP · Inadequate time sync: Precision is key with TOTPs. · Poor secret key management: The secret keys must be kept secure.
[21]
Multifactor Authentication - OWASP Cheat Sheet Series
Multifactor Authentication (MFA) requires more than one type of evidence to authenticate, such as something you know, have, are, somewhere you are, or do.
[22]
pyauth/pyotp: Python One-Time Password Library - GitHub
PyOTP is a Python library for generating and verifying one-time passwords. It can be used to implement two-factor (2FA) or multi-factor (MFA) authentication ...Missing: Java vectors
[23]
wstrange/GoogleAuth: Google Authenticator Server side code - GitHub
GoogleAuth is a Java server library that implements the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
[24]
https://datatracker.ietf.org/doc/html/rfc6238#section-8
[25]
Verification and two-factor authentication best practices - Twilio
We suggest limiting verifications to 1 request / 30 seconds per phone number with exponential backoff. Learn more in the blog post about best practices for ...
[26]
Advantages of Time-Based One-Time Passwords (TOTP)
May 2, 2025 · Time-Based Counter Calculation. The current Unix time is divided into ... Moreover, because it's based on an open standard (RFC 6238), TOTP ...Missing: comparison | Show results with:comparison
[27]
NIST Retires SHA-1 Cryptographic Algorithm
Dec 15, 2022 · NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.Missing: TOTP | Show results with:TOTP
[28]
https://link.springer.com/article/10.1007/s11227-025-08029-5
[29]
TOTP Authentication Explained: How It Works, Why It's Secure
May 19, 2025 · A time-based one-time password (TOTP) is a temporary numeric code used to verify a user's identity during login. The code changes every 30 ...
[30]
A Review of the Authentication Techniques for Internet of Things ...
This study looks at recent developments including blockchain technology, biometric authentication, and machine learning-based techniques to find research gaps.
[31]
TOTP vs SMS: Which one is better for two-factor authentication (2FA)?
Feb 1, 2023 · TOTP-based 2FA is considered to be more secure than SMS-based 2FA because it is less susceptible to intercepts and spoofing.Missing: NIST | Show results with:NIST
[32]
FreeOTP
FreeOTP is a two-factor authentication application for systems utilizing one-time password protocols. Tokens can be added easily by scanning a QR code.Missing: oathtool pyotp speakeasy
[33]
Duo Two-Factor Authentication with RADIUS and Primary ...
Sep 5, 2025 · In this configuration you insert the Duo Authentication Proxy between your VPN device and your existing primary LDAP or RADIUS authentication ...RADIUS with Duo-Only... · RADIUS 2FA for Cisco ASA... · NetScaler GatewayMissing: privacyIDEA | Show results with:privacyIDEA
[34]
The Best Authenticator Apps for 2025 - PCMag
All of the authenticator apps on this list generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds.
[35]
TOTP Secure Enrollment - IETF
This document describes a secure key exchange scheme that extends the Time-Based One-Time Password (TOTP) de facto enrollment method to prevent compromise ...
[36]
Brute Forcing TOTP Multi-Factor Authentication is Surprisingly ...
Aug 10, 2021 · If your TOTP implementation doesn't include brute-force protection, you might be in trouble. Sample code to exploit this can be found here.Missing: short | Show results with:short
[37]
OTPs as Second Factor - Strengths and Weaknesses - scip AG
Oct 21, 2021 · One-time-passwords are simple and can be easy to use · SMS-based "mTAN" is vulnerable to SIM-swapping and interception · App-based OTPs are better ...Strengths And Weaknesses · Keypoints · Webauthn And The...
[38]
What Is SIM Swapping Fraud and How to Prevent It | Twilio
May 2, 2024 · When a SIM swap is detected, you can require a non-phone-based verification such as a time-based one-time password (TOTP), or you can put the ...What Is A Sim Farm? · How To Prevent Sim Swapping · Use Twilio's Lookup Sim Swap<|separator|>
[39]
Why is HMAC-SHA1 still considered secure?
Jun 25, 2015 · A comment asks when should SHA-1 not be used? Original advise, 2015: It is advisable to quickly phase out SHA-1 in applications requiring ...
[40]
Authenticator App vs SMS Authentication: Which Is Safer?
Feb 15, 2024 · An authenticator app is safer than SMS authentication because it generates 2FA codes locally, which prevents cybercriminals from intercepting the codes as they ...What Is SMS Authentication? · Why You Should Use an...
[41]
TOTP vs. U2F: What's the Difference? - Rublon
Jan 9, 2024 · The main difference between TOTP and U2F is that U2F is more secure and convenient to use than TOTP. U2F is more secure because it uses public-key cryptography ...
[42]
https://www.keepersecurity.com/blog/2024/02/15/authenticator-app-vs-sms-authentication-which-is-safer/
[43]
How to Implement TOTP in Cybersecurity: Best Practices - LinkedIn
Nov 27, 2023 · Implement strong key generation practices, avoiding predictable patterns. Regularly audit and rotate keys to mitigate risks associated with ...
[44]
What is Time-Based One-Time Password & How it Works - Teleport
TOTP, or Time-based One-Time Password, is an algorithm that generates a unique, temporary passcode for authentication. It's a specific implementation of the ...What Is Time-Based One-Time... · How Totp Works: A... · Best Practices For...<|control11|><|separator|>
[45]
What is Risk-Based Authentication? - JumpCloud
Feb 14, 2025 · Risk-Based Authentication (RBA) is a dynamic and adaptive authentication method that assesses the risk level of a login attempt using contextual information.Rba Vs. Traditional... · 3. Adapting Authentication... · Frequently Asked Questions
[46]
What is TOTP? A short guide for developers (RFC 6238 explained)
TOTP (Time-based One-Time Password) is a simple, widely used method for generating short-lived numeric codes from a shared secret and the current time (RFC 6238) ...
[47]
A developer's history of authentication - WorkOS
Sep 5, 2020 · Over time, there were two dynamic password protocols introduced: TOTP = Time-based OTP where the uniqueness of the OTP is generated based on the ...
[48]
What is the Evolution of Multifactor Authentication - Palo Alto Networks
Hardware Tokens: Physical devices, such as RSA SecurID tokens, generated time-based or sequence-based OTP (One-Time Passwords). Software-Based 2FA (2000s):.
[49]
What Does OTP Mean? The Definitive Guide to One-Time Passwords
Jan 30, 2025 · The Evolution of OTPs. OTPs originated in the 1990s with hardware tokens like RSA SecurID, which generated codes using built-in algorithms.Understanding Otp... · How Otps Work: A Deep Dive... · Types Of Otps: Pros, Cons...<|separator|>
[50]
Open Authentication Reference Architecture Announced
Feb 24, 2004 · During the opening day of the RSA Conference 2004, VeriSign announced the creation of the Open Authentication Reference Architecture (OATH), ...
[51]
VeriSign Introduces Collaborative Vision to Drive Ubiquitous ...
Leading hardware and software providers have joined with VeriSign in support for the OATH reference architecture, which leverages widely adopted protocols and ...Missing: Initiative Nokia<|separator|>
[52]
HOTP vs TOTP: What's the Difference? - Rublon
Apr 4, 2022 · HOTP uses an event counter, while TOTP uses a time counter. TOTP has no validation window and a shorter lifetime, making it more secure.
[53]
OTP, TOTP, HOTP: What's the Difference? - OneLogin
The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each ...
[54]
RFC 1760 - The S/KEY One-Time Password System - IETF Datatracker
The S/KEY One-Time Password system is designed to counter this type of attack, called a replay attack. With the S/KEY system, only a single use password ever ...Missing: OTP history<|separator|>
[55]
One Time Password Authentication (otp) - IETF Datatracker
The object of this working group is to write a standards track RFC for one-time password technology, using the technology in the Bellcore S/KEY system.Missing: contributions challenge- response influence
[56]
[PDF] The Evolution of Authentication - FIDO Alliance
The FIDO Alliance has been founded to define an open, interoperable set of mechanisms that reduce the reliance on passwords. Secure hardware is im- portant to ...<|control11|><|separator|>
[57]
[PDF] The State of the Electronic Identity Market
Interoperability and credential portability are key issues in eID market development. Currently, the eID market is relatively fragmented, with several standards ...<|control11|><|separator|>
[58]
Google Authenticator now supports Google Account synchronization
Apr 24, 2023 · We released Google Authenticator in 2010 as a free and easy way for sites to add “something you have” two-factor authentication (2FA) that ...
[59]
Facebook intros two-factor authentication to beef up security
Apr 25, 2011 · Facebook has begun introducing two-factor authentication designed to prevent hackers from accessing users' accounts.
[60]
OATH Announces Availability Of Certification Compliance Program
OATH will be exhibiting at the RSA Conference in San Francisco February 14th-18th 2011 showcasing a number of its members and their devices. OATH will be ...
[61]
Client to Authenticator Protocol (CTAP) - FIDO Alliance
Jul 14, 2025 · Abstract. This specification describes an application layer protocol for communication between a roaming authenticator and another ...Missing: TOTP | Show results with:TOTP
[62]
Open source version of Google Authenticator (except the Android app)
Apr 6, 2021 · This GitHub project is specifically for the Google Authenticator apps which target the Blackberry and iOS mobile platforms.