Hello guys.

I have been implementing TOTP based authentication in one of my php based application. It is a modern times authentication method to verify that user is real and not a hacker.

TOTP stands for “Time Based One Time Password”. You must be aware of OTP. OTPs are singe time use passwords that means if used once cannot be used the next time unlike regular passwords.

I am going to explain how does this TOTP based authentication work.

  • In TOTP algorithm, password generated is valid for a very short duration
  • A secret token is generated. This is stored both at client and server.
  • Client computes a hash using shared secret and UNIX timestamp.
  • Client sends this hash to server.
  • Server also computes the hash using same shared secret and UNIX timestamp.
  • Server compares both hashes and if equal, then client is authenticated.

Example of TOTP

Password = Hash(shared_secret, (unix_timestamp / time_step))

Since unix_timestamp is seconds from Jan 1 1970, so it will change once password is reached server from client. Therefore, unix_timestamp is divided by a time_step (default = 30 secs) so that the password is valid for 30 seconds.

Read more about RFC 6238 of TOTP.

That’s all folks!


Hey Friends, Thank you for visiting my blog and spending some of your precious time reading it. Myself Aryan who works with a variety of computer technologies. This blog is a write-up of my understanding of various topics after reading different materials about it. I hope that it helps you in some way. Enjoy reading and feel free to connect with me.


Leave a Reply

Your email address will not be published. Required fields are marked *