The basic idea behind multi-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor. However, it the method the second factor is delivered to end-users is also important.
For example, using SMS and automated phone calls to receive a one-time token is still considered an MFA and is much more user-friendly than relying on a software token app like Google Authenticator or Token2 Mobile OTP. However, being easier these methods are also less secure. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.
The idea of using one-time passwords was formulated back in 1981 by Lamport. In principle, OTP can be generated in different ways, but the majority of existing classic as well as modern MFA systems rely on RFC-based TOTP standard. In this article we will give a brief overview of the theoretical background of OTP generation methods this standard uses.
The Time-based One Time Password Algorithm (TOTP) presents a type of key-derivation function that takes a single secret (such as a password or passphrase) as an input and produces a single key as an output. TOTP is a variation of HOTP algorithm, however, with TOTP, the key is dependent on the secret as well as on the current time, instead of an arbitrary counter value defined in HOTP; so current epoch time is considered a counter instead and is calculated as shown in equation below where T0 is a predetermined epoch relative to which all times are counted and Ts is a time step. Time steps used in the majority of TOTP implementations are 30 or 60 seconds.
Once the value of the time counter is calculated, the TOTP output can be calculated by signing the master secret (K) and the time counter (Tc) using HMAC function as shown below:
The master secret (K) used to calculate the HMAC hash is also called a shared secret. The reason for that is because this key is shared between the authentication server and the client generating OTP codes. The secret is shared during the registration. So, the values used to generate TOTP are exactly the same at both parties (client and the server): the secret is the same and the time counter used is based on system clocks, ideally the same or within the 30/60 seconds offset. So, as shown in figure below, the validation process of user submitted OTP codes (OTPu) is as simple as comparing with server generated OTP codes (OTPs).
Multifactor authentication using carried devices (a hardware token or an application on a mobile device) as a context was among the first implementations of strong security. The idea behind both types of the devices is simple - they have a source of current time which is used as a counter to calculate the OTP using the shared secret.
Mobile Apps
There are many TOTP-compliant apps, the following are only the most popular examples:
Hardware tokens
We produce and sell many type of different TOTP hardware tokens with different set of features. The list below contains the most popular hardware token categories available with Token2:
