I have been implementing TOTP based authentication in one of my php based application. It is a modern times authentication method to verify that user is real and not a hacker.
TOTP stands for “Time Based One Time Password”. You must be aware of OTP. OTPs are singe time use passwords that means if used once cannot be used the next time unlike regular passwords.
I am going to explain how does this TOTP based authentication work.
- In TOTP algorithm, password generated is valid for a very short duration
- A secret token is generated. This is stored both at client and server.
- Client computes a hash using shared secret and UNIX timestamp.
- Client sends this hash to server.
- Server also computes the hash using same shared secret and UNIX timestamp.
- Server compares both hashes and if equal, then client is authenticated.
Example of TOTP
Password = Hash(shared_secret, (unix_timestamp / time_step))
Since unix_timestamp is seconds from Jan 1 1970, so it will change once password is reached server from client. Therefore, unix_timestamp is divided by a time_step (default = 30 secs) so that the password is valid for 30 seconds.
Read more about RFC 6238 of TOTP.
That’s all folks!