Two-Factor Authentication (2FA) and TOTP

Source: TH

Context:

With rising cyber threats, passwords alone are no longer secure. Many online services now rely on Two-Factor Authentication (2FA), often implemented through apps like Google Authenticator, which generate time-based one-time passwords (TOTPs).

What is 2FA?

• Two-Factor Authentication requires two proofs of identity:
  1. Something you know → Your password.
  2. Something you have → An authenticator app or hardware token.
• This makes attacks harder because both your password and your device are needed.

What are OTPs and TOTPs?

• OTP (One-Time Password): A short numeric code valid for a single use, expiring within seconds.
• TOTP (Time-based OTP): A special form of OTP that changes every 30 seconds.
• Defined under an open standard, ensuring compatibility across services and apps.

How Does TOTP Work?

• Secret Key Sharing: During setup, the service gives your app a secret key (often via QR code). Both sides store it.
• Time Counter: Time is divided into 30-second intervals, each with a unique counter value.
• HMAC Function:
  • Inputs: secret key + current time counter.
  • Process: Run through HMAC-SHA-256, a secure cryptographic function.
• Dynamic Truncation: Extract part of the HMAC output.
• Final OTP: Reduce it to a 6-digit code (000000–999999).

Because both your phone and the server share the secret key and use the same time slice, they generate identical codes.

What is HMAC and Why Use It?

• HMAC = Hash-based Message Authentication Code.
• Combines a secret key + message using hash functions like SHA-256.
• Ensures:
  • Authenticity → only someone with the key can generate valid codes.
  • Integrity → tampering is detectable.
• Relies on the XOR operation to mix the key securely.

Why Is TOTP Secure?

• Secret key confidentiality: Only stored on device + server.
• Hash security: SHA-256 makes reverse-engineering infeasible.
• Time dependence: Codes expire every 30 seconds.
• Low guessability: Even though the displayed OTP is 6 digits, it’s derived from a massive key space.

Alternatives to TOTP:

• Counter-based OTP (HOTP): Uses a counter instead of time.
• Push-based 2FA: Notification-based approvals.
• Hardware tokens (e.g., YubiKeys): Generate codes independently.