Pricing  Get Quote
 
 
  • Home
  • Blog
  • What is a TOTP authenticator?
Blog

What is a TOTP authenticator?

Written by AndrewMFA2 min read

On this page
  • TOTPs explained
  • TOTPs vs. alternatives
  • Why should you use TOTPs?
  • How do TOTPs work?
  • Examples of TOTP authenticators
  • Benefits of using TOTPs
  • Why should you use TOTP authentication with ManageEngine ADSelfServicePlus?
  • People also ask

TOTPs explained

A time-based one-time password (TOTP) is a form of two-factor authentication (2FA) that generates a one-time password (OTP) as the second factor, which changes at regular intervals. TOTPs come in different token forms. Hardware tokens are usually key fobs like YubiKeys or RSA SecurID hardware tokens that display a code on the device. Software tokens are usually authenticator apps like Google Authenticator or Microsoft Authenticator. As the TOTP code changes at regular intervals, it makes it harder for attackers to launch replay attacks and gain access to your account .

TOTPs vs. alternatives

  • HMAC-based OTPs ( HOTPs): A HOTP uses a counter where the moving factor increases each time an OTP is requested. This makes it more user-friendly as the code doesn't change until the next validation, but this also makes it vulnerable to brute-force attacks.
  • SMS-based 2FA: Codes sent via SMS text messages last longer than TOTP codes. However, this makes them susceptible to interception, like manipulator-in-the-middle attacks, even if they're generated by a trusted source. This vulnerability makes TOTPs more secure and usable in a wider range of scenarios.
  • Email-based 2FA: This is generally easier to use as it doesn't require an additional authenticator app, and most people already have access to their email. However, emails are easier to compromise and susceptible to phishing.

Why should you use TOTPs?

A TOTP adds an extra layer of security beyond a username and password. It offers a smoother user experience as the code is generated on the device without needing an internet connection. This removes potential delays and increases functionality. Also, many TOTP authenticator apps are free and support a wide range of services and applications.

How do TOTPs work?

A TOTP uses two inputs to generate a code: a static secret key (a seed) that the token shares with the server and a moving factor (Unix time) that changes every time an OTP is requested. During registration, the server generates the seed, which gets stored in the database and on the client's device.

TOTP authentication works in four steps:

  • The user enters the first factor of authentication, like their username and password.
  • The client generates a TOTP code using the seed and the moving factor. The code is sent to the server.
  • The server generates another TOTP code using the same seed and moving factor.
  • The two codes get compared, and if they match, the user is logged in.
Implement strong adaptive authentication techniques with ADSelfService Plus

Examples of TOTP authenticators

TOTP authenticators come in different forms. Software authenticators can be installed on phones, while hardware authenticators require you to carry security keys.

  • Software: Apps like Google Authenticator, Authy, and Microsoft Authenticator display a TOTP code on your iOS or Android device during login.
  • Hardware: YubiKey and Nitrokey authenticators resemble flash drives that plug into your computer during login. Another example is the RSA SecurID hardware token, which displays the TOTP code on the key.

Benefits of using TOTPs

  • Increased security: A TOTP adds another layer of security beyond just a password. This makes hacking harder for attackers as they would have to gain access to the user's secondary device.
  • Offline access: A TOTP authenticator relies on just the current time and the shared secret key; it doesn't need to be connected to the internet to generate or verify a token.
  • One-time use: As the code changes every 30 seconds or so, depending on the authenticator, it is resistant to replay attacks.

Why should you use TOTP authentication with ManageEngine ADSelfService Plus?

ADSelfService Plus is an identity security solution with adaptive MFA that supports a wide range of authenticators, including TOTP authentication. By configuring a TOTP authenticator, you can seamlessly log in to Windows, macOS, or Linux; access a wide range of enterprise applications through single sign-on; and perform self-service password resets and account unlocks.

People also ask

How does TOTP authentication work?

When a user tries to log in, the client generates a time-based code using an authenticator app or a key fob. This code is sent to the server for validation. The server generates another code simultaneously. If the two codes match, the user is successfully logged in.

How do I get a TOTP code?

First, you will need to register your TOTP authenticator and get the seed (the shared secret key). After doing this, whenever you try to log in, the client will use the seed to generate a TOTP code. This code will be displayed on your key fob or authenticator app for a short period before changing. Use this TOTP code to log in.

Is a TOTP the same as 2FA?

A TOTP is a form of 2FA that uses a time-based OTP as the second factor.

Is a TOTP better than an OTP?

Yes, a TOTP is better than an OTP as the code is unique for each login and changes after a set period. TOTPs also work offline, unlike OTPs delivered via SMS messages, which can be intercepted.

 

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Email Download Link