TOTP: Time-based One-time Password Algorithm
Verisign, Inc.
685 E. Middlefield Road
Mountain View
CA
94043
USA
dmraihi@verisign.com
Diversinet Corp.
2225 Sheppard Avenue East, Suite 1801
Toronto
Ontario
M2J 5C2
Canada
smachani@diversinet.com
Verisign, Inc.
685 E. Middlefield Road
Mountain View
CA
94043
USA
mpei@verisign.com
Portwise, Inc.
275 Hawthorne Ave, Suite 119
Palo Alto
CA
94301
USA
johan.rydell@portwise.com
General
Internet Engineering Task Force
This document describes an extension of one-time password algorithm HOTP
as defined in to support time based moving factor.
This document describes an extension of one-time password algorithm HOTP
as defined in to support time based moving factor.
As defined in the HOTP algorithm is based on the HMAC-SHA-1 algorithm, as specified in applied to an increasing counter value representing the message in the HMAC computation.
Basically, the output of the HMAC-SHA-1 calculation is truncated to obtain user-friendly values:
HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
where Truncate represents the function that can convert an HMAC-SHA-1 value into an HOTP value.
TOTP is the time-based variant of this algorithm where a value T derived from a time reference and a time step replaces the counter C in the HOTP computation.
The default HMAC-SHA-1 function could be replaced by HMAC-SHA-256 or HMAC-SHA-512 to leverage HMAC implementations based on SHA-256 or SHA-512 hash functions.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in
This section summarizes the requirements taken into account for designing the TOTP algorithm.
R1 - The prover (e.g. token, soft token) and verifier (authentication or validation server) MUST have access to the Unix Time
R2 - The prover and verifier MUST either share a same secret or the knowledge of a secret transformation to generate a shared secret
R3 - The algorithm MUST use HOTP [RFC4226] as a key building block.
R4 - The prover and verifier MUST use the same time step value X.
R5 - There MUST be a unique secret (key) for each prover.
R6 - The keys SHOULD be randomly generated or derived using a key derivation algorithms.
R7 - The keys MAY be stored in a tamper-resistant device and SHOULD be protected against unauthorized access and usage.
R8 - The TOTP algorithm SHOULD be used for online application.
This variant of the HOTP algorithm specifies the calculation of a one-time
password value, based on a representation of the counter as a time factor.
- X represents the time step in seconds (default value X = 30 seconds) and is a system parameter;
- T0 is the Unix time to start counting time steps (default value is 0, Unix epoch) and is also a system parameter.
Basically, we define TOTP as TOTP = HOTP(K, T) where T is an integer and represents the number of time steps between
the initial counter time T0 and the current Unix time (i.e. the number of seconds elapsed since midnight UTC of January 1, 1970).
More specifically T = (Current Unix time - T0) / X where:
- X represents the time step in seconds (default value X = 30 seconds) and is a system parameter;
- T0 is the Unix time to start counting time steps (default value is 0, Unix epoch) and is also a system parameter.
The security and strength of this algorithm depends on the
properties of the underlying building block HOTP, which is a
construction based on HMAC using
SHA-1 as the hash function.
The conclusion of the security analysis detailed in
is that, for all practical
purposes, the outputs of the dynamic truncation on distinct
inputs are uniformly and independently distributed strings.
The analysis demonstrates that the best possible attack against the
HOTP function is the brute force attack.
As indicated in the algorithm requirement section, keys SHOULD be
chosen at random or using a cryptographically strong pseudo-random
generator properly seeded with a random value.
Keys SHOULD be of the length of the HMAC output to facilitate
interoperability.
We RECOMMEND following the recommendations in
for all pseudo-random and
random generations. The pseudo-random numbers used for
generating the keys SHOULD successfully pass the
randomness test specified in or
a similar well-recognized test.
All the communications SHOULD take place over a secure
channel e.g. SSL/TLS, IPsec connections.
We also RECOMMEND storing the keys securely in the
validation system, and more specifically encrypting them using
tamper-resistant hardware encryption and exposing them only when
required: for example, the key is decrypted when needed to verify
an OTP value, and re-encrypted immediately to limit exposure in
the RAM for a short period of time.
The key store MUST be in a secure area, to avoid as much as possible
direct attack on the validation system and secrets database.
Particularly, access to the key material should be limited to programs
and processes required by the validation system only.
An OTP generated within the same Time-step will be the same.
When an OTP is received at a validation system, it doesn't
know a client's exact timestamp when an OTP was generated. The
validation system may typically use the timestamp when an OTP is
received for OTP comparison. Due to the network latency for an OTP
to transmit from a requesting application to a validation system
and user's actual input time of an OTP to a receiving system, such
timestamp gap between the actual OTP generation time and server's
receiving time may be large. The receiving time at the validation
system and the actual OTP generation may not fall within the
same Time-step window that produce the same OTP. When an OTP
is generated at the end of a Time-step window, the receiving time
most likely falls into the next Time-step window.
A validation system SHOULD typically set a policy for an
acceptable OTP transmission delay window for validation.
The validation system should compare OTPs not only with the
receiving timestamp but also the past timesteps that are
within the transmission delay. A larger acceptable delay window
would introduce some OTP attack window. We RECOMMEND that
at most one time step is allowed as the network delay.
The Time-step size has impact on both security and usability.
A larger Time-step size means larger validity window for an OTP
to be accepted by a validation system. There are the following
implications with a larger Time-step size.
At first, a larger Time-step size exposes larger window for
attack. When an OTP is generated and exposed to a third party
before it is consumed, the third party can consume the OTP within
the Time-step window.
We RECOMMEND default Time-step size for 30 seconds.
Secondly, the next different OTP must be generated in the next
Time-step window. A user must wait till the clock moves to the
next Time-step window from the last submission. The waiting time
may not be exactly the length of Time-step depending on when
the last OTP was generated. For example, if the last OTP was
generated at the half way in a Time-step window, the waiting
time for the next OTP is half of length of Time-step. In general,
a larger Time-step window means larger waiting time for
a user to get the next valid OTP after the last successfully
OTP validation. A too large window, for example 10 minutes,
most probably won't be suitable for typical internet login
use cases; a user may not be able to get the next OTP within
10 minutes and therefore re-login back to the same site
in 10 minutes. The default Time-step size 30 seconds is
recommended.
Because of possible clock drifts between a client and a validation
server, we RECOMMEND that the validator be set with a specific
limit to the number of time steps a prover can be 'out of synch'
before being not validated/rejected.
This limit can be set both forward and backwards from the calculated
time step on receipt of the OTP value. If the time step is 30 seconds
as recommended, and the validator is set to only accept 2 time step
backwards then the maximum elapsed time drift would be around
89 seconds, i.e. 29 seconds in the calculated time step and 60 for
two backward time steps.
This would mean the validator could perform a validation against
the current time and then further two validations for each backward
step (for a total of 3 validations). Upon successful validation,
the validation server can record the detected clock drift for
the token in terms of number of Time-step. When a new OTP
is received after this step, the validator can validate the OTP with
current timestamp adjusted with recorded number of Time-step clock
drifts for the token.
Also, it is important to note that the longer a prover has not sent
an OTP to a validation system, the longer (potentially) the accumulated
clock drift between the prover and the verifier. In such cases,
the default synchronization may not be proper when the drift exceeds
beyond allowed threshold. Additional authentication measures SHOULD
be used for the validation system to safely authenticate the prover.
The OTP algorithm defined in this document can be referred by a URI defined in a
separate document. There is no registration needed in this document.
The authors of this draft would like to thank the following people
for their contributions and support to make this a better
specification: Jonathan Tuliani, David Dix, Siddharth Bajaj, Stu Veath, Shuh Chang,
Oanh Hoang, John Huang, and Siddhartha Mohapatra.
HOTP: An HMAC-Based One-Time Password Algorithm
VeriSign
UCSD
Vasco
Gemplus
Aladdin
Randomness Recommendations for Security
DEC
Cybercash
MIT
Key words for use in RFCs to Indicate Requirement
Levels
HMAC: Keyed-Hashing for Message Authentication
IBM
UCSD
IBM
An accurate evaluation of Maurer's universal test
University of Luxembourg
ENS
This section provides test values that can be used for HOTP time-based
variant algorithm interoperability test.
The test token shared secret uses the ASCII string value
"12345678901234567890".
With Time Step X = 30, and Unix epoch as initial value to count time steps
where T0 = 0, the TOTP algorithm will display the following values
for specified modes and timestamps.
Time (sec)
UTC Time
Value of T (hex)
TOTP
Mode
1111111109
2005-03-18 01:58:29
00000000023523EC
07081804
SHA1
1111111109
2005-03-18 01:58:29
00000000023523EC
34756375
SHA256
1111111109
2005-03-18 01:58:29
00000000023523EC
63049338
SHA512
1111111111
2005-03-18 01:58:31
00000000023523ED
14050471
SHA1
1111111111
2005-03-18 01:58:31
00000000023523ED
74584430
SHA256
1111111111
2005-03-18 01:58:31
00000000023523ED
54380122
SHA512
1234567890
2009-02-13 23:31:30
000000000273EF07
89005924
SHA1
1234567890
2009-02-13 23:31:30
000000000273EF07
42829826
SHA256
1234567890
2009-02-13 23:31:30
000000000273EF07
76671578
SHA512
2000000000
2033-05-18 03:33:20
0000000003F940AA
69279037
SHA1
2000000000
2033-05-18 03:33:20
0000000003F940AA
78428693
SHA256
2000000000
2033-05-18 03:33:20
0000000003F940AA
56464532
SHA512