What is a TOTP authenticator?

TOTPs explained

A time-based one-time password (TOTP) is a form of two-factor authentication (2FA) that generates a one-time password (OTP) as the second factor, which changes at regular intervals. TOTPs come in different token forms. Hardware tokens are usually key fobs like YubiKeys or RSA SecurID hardware tokens that display a code on the device. Software tokens are usually authenticator apps like Google Authenticator or Microsoft Authenticator. As the TOTP code changes at regular intervals, it makes it harder for attackers to launch replay attacks and gain access to your account .

TOTPs vs. alternatives

• HMAC-based OTPs ( HOTPs): A HOTP uses a counter where the moving factor increases each time an OTP is requested. This makes it more user-friendly as the code doesn't change until the next validation, but this also makes it vulnerable to brute-force attacks.
• SMS-based 2FA: Codes sent via SMS text messages last longer than TOTP codes. However, this makes them susceptible to interception, like manipulator-in-the-middle attacks, even if they're generated by a trusted source. This vulnerability makes TOTPs more secure and usable in a wider range of scenarios.
• Email-based 2FA: This is generally easier to use as it doesn't require an additional authenticator app, and most people already have access to their email. However, emails are easier to compromise and susceptible to phishing.

Why should you use TOTPs?

A TOTP adds an extra layer of security beyond a username and password. It offers a smoother user experience as the code is generated on the device without needing an internet connection. This removes potential delays and increases functionality. Also, many TOTP authenticator apps are free and support a wide range of services and applications.

How do TOTPs work?

A TOTP uses two inputs to generate a code: a static secret key (a seed) that the token shares with the server and a moving factor (Unix time) that changes every time an OTP is requested. During registration, the server generates the seed, which gets stored in the database and on the client's device.

TOTP authentication works in four steps:

• The user enters the first factor of authentication, like their username and password.
• The client generates a TOTP code using the seed and the moving factor. The code is sent to the server.
• The server generates another TOTP code using the same seed and moving factor.
• The two codes get compared, and if they match, the user is logged in.

Examples of TOTP authenticators

TOTP authenticators come in different forms. Software authenticators can be installed on phones, while hardware authenticators require you to carry security keys.

• Software: Apps like Google Authenticator, Authy, and Microsoft Authenticator display a TOTP code on your iOS or Android device during login.
• Hardware: YubiKey and Nitrokey authenticators resemble flash drives that plug into your computer during login. Another example is the RSA SecurID hardware token, which displays the TOTP code on the key.

Benefits of using TOTPs

• Increased security: A TOTP adds another layer of security beyond just a password. This makes hacking harder for attackers as they would have to gain access to the user's secondary device.
• Offline access: A TOTP authenticator relies on just the current time and the shared secret key; it doesn't need to be connected to the internet to generate or verify a token.
• One-time use: As the code changes every 30 seconds or so, depending on the authenticator, it is resistant to replay attacks.

Why should you use TOTP authentication with ManageEngine ADSelfService Plus?

ADSelfService Plus is an identity security solution with adaptive MFA that supports a wide range of authenticators, including TOTP authentication. By configuring a TOTP authenticator, you can seamlessly log in to Windows, macOS, or Linux; access a wide range of enterprise applications through single sign-on; and perform self-service password resets and account unlocks.

People also ask