What is TOTP authentication?
TOTP stands for Time-based One-Time Password and is a time-sensitive passcode used only once for authenticating a particular user. The passcode is used for authenticating users and transmitted via SMS, Email, or as a hardware token.
TOTP codes are generated through various algorithms that create one-time passcodes using a secret shared with the authentication server and the current time – thus the name time-based OTP. The expiration time can differ, but TOTPs are typically valid for only 15 minutes.
Authentication with TOTPs comes in different forms, and the codes are usually part of a 2FA or 2-step verification setup. In most cases, users authenticate by entering their username and password in the login frame followed by a TOTP code transmitted via the various channels mentioned above.
TOTP was first introduced by RSA Security and was exclusively sold under patent. Once the patent expired, TOTP gained momentum and was adopted on a large scale as 2FA became more popular. Today, more than 65% of users worldwide authenticate using 2FA methods in conjunction with TOTP codes. Also, OATH (Initiative for Open Authentication), an industry-wide collaboration to promote strong authentication, has standardized TOTP authentication solutions to be used on various websites and applications.
TOTPs are often confused with event-based OTP, known as HMAC-based One-time Password (HOTP). The difference between TOTP and HMAC-based OTP lies in the generating algorithm. TOTP refers to a time-sensitive code, while HMAC refers to the counter that is incremented every time an OTP is produced. Still, both are considered secure, while their vulnerability often appears to be the medium through which they are transmitted to the user.
Types of TOTP authentication
Time-based One-time Password (TOTP) via SMS
TOTP sent via SMS is a very straightforward authentication method and one of the most popular. Users often don’t need any smart device to gain access to their apps or accounts. Just SMS service will be enough to receive the TOTP code and validate an identity or transaction. The method, while very popular, is also one of the least secure as more and more reports have shown how easily SMS OTPs can be hacked or compromised. Ease of use and speed of authentication with SMS TOTP drastically fall behind compared to other authentication methods. Users don’t authenticate in-band — meaning they have to switch devices, wait for the code to be sent, and manually input the code in the login session. All these steps create a burdensome user experience and can lead to increased churn rates.
Time-based One-time Password (TOTP) via Email
Like the SMS TOTP, the Email TOTP is valid for a limited time. However, instead of using SMS to transmit the code, users have to own an email address that will be associated with the account during the account creation and login process. The Email TOTP authentication method is often used in 2FA setups but can also constitute a step in a two-step verification process, which can use the same factor, like username/email and password for authenticating users. Thus, email TOTP is often regarded as one of the least secure authentication methods due to the ease of compromising email addresses. If malicious actors gain access to the user’s email address, they’ll potentially compromise all other accounts associated with it, including those using TOTP for identity verification.
Is TOTP secure?
Adding 2FA or MFA to authenticate users may add a layer of security. Still, some vulnerabilities are also worth considering, depending on the medium the codes are sent for verifying a user’s identity:
SIM swap scams—an attacker fraudulently transfers a victim’s phone number to their own SIM card, which can then be used to gain access to messages being sent to it.
SIM hacking (malicious actors can spoof cell phone tower signals and SS7 systems and access information contained in private messages),
Synced devices (synced devices allow access from multiple smartphones, laptops, tablets, and wearables),
Social engineering attacks (attempts to convince targets to unknowingly hand over their personal information and passwords—including SMS codes).
Alternatives to TOTP authentication
As shown above, the security of TOTP authentication relies on the medium through which the code is transmitted. Therefore, once an email account is compromised or an SMS intercepted, the security of the entire login process can be compromised.
But, 2FA can also be coupled with other, more user-friendly, easy-to-use, and secure factors such as behavioral biometrics. Typing biometrics-based authentication relies on the analysis of the typing patterns that are unique to each individual. By deploying TypingDNA Verify 2FA, users will go through an enrollment process that consists of typing four words twice while the typing patterns are collected. These will be confronted each time a user authenticates. If the typing patterns match, access will be granted. The particularity of deploying TypingDNA Verify 2FA is related to the smooth user experience and the replacement of one-time codes altogether. SMS codes acting as a 2FA will be sent only as a fallback method when the authentication fails due to a mismatch of typing patterns or users bypass verification.
This alternative to the classic 2FA methods relying on OTP or TOTP is also very cost-effective, reducing authentication costs by 90%.
Product managers, security specialists, and developers can integrate and deploy TypingDNA Verify 2FA in less than 10 minutes, and the risk-free Starter plan includes up to 1000 authenticated users for free. Sign up to get the limited-time offer here.