Multi-factor authentication, or MFA, has become an integral part of reinforcing digital security for millions of users online. The selection of MFA tools is broad, so it’s really up to the user to decide what kind of a digital shield they prefer. One such tool is a one-time password, or OTP.
Today, we’ll be looking at a particular type of OTPs known as time-based one-time passwords, or TOTPs. We’ll analyze what makes this method of multi-factor authentication stand out, and what threats it may face. We’ll also see how it compares to an alternative type of one-time passwords known as HOTPs. Once we’re done, you’ll have the essential tools to improve your online security.
What is OTP?
Before we plunge into the ins and outs of TOTP and how it works, we must first answer the fundamental question – what is OTP? We’ve already established that the acronym itself stands for “one-time password.” Now, let’s take a closer look under the hood.
While the technology behind OTPs is complex, the name is self-explanatory – one-time passwords are security codes that you can use only once for authentication before they reset. As such, OTPs are considered dynamic, in contrast to the static passwords we’re used to in our daily digital lives.
The dynamic OTP algorithm is what makes them so effective in terms of account protection and authentication. Static passwords can be easier to crack, especially if they’re not regularly updated. The additional protective layer of continuously changing one-time passwords has proven to be effective against many identity theft measures.
Each OTP is unique and consists of combinations of numbers and, in some instances, letters. This allows for a near-infinite number of random combinations, making the OTP security layer more resilient to attacks – although they can encounter some vulnerabilities that we’ll discuss shortly.
OTPs come in two types:
Time-based one-time passwords (TOTPs).
Hash-based one-time passwords (HOTPs).
These passwords require two bits of information to work – the seed and the moving factor. A seed is a secret key that’s held by the password generator and the server. A password generator, also known as an OTP token, is a tool used to create the temporary authentication codes.
Both TOTPs and HOTPs are commonly used to enable multi-factor authentication. The type of one-time password in use depends on the chosen MFA method. Typically, the one-time password is generated via code generation hardware, an authenticator app, or a text message.
The moving factor is what you need to know to tell TOTPs and HOTPs apart. While the seed remains static, the moving factor changes and is determined either by a countdown or a counter – something we’ll delve into later as we explore each of the one-time password types.
Some users may assume that one-time passwords are similar to backup codes that various apps provide as an additional recovery measure. However, they work differently – you receive a limited number of backup codes in case you lose access to your main authentication method, and you can use each of them once to log into your account. In contrast, the number of OTPs that can be generated is limitless.
For a clearer view of how an OTP works, let’s take a closer look at both types, starting with TOTPs.
What is a TOTP?
We’ve established the key principles behind OTPs, so let’s get a bit more specific and find out what a TOTP is. The latter half of the acronym stands for “one-time password,” while the T refers to its main characteristic – “time-based.”
Essentially, time-based one-time passwords are passwords that expire within a certain predetermined time, known as a timestep. Different TOTP authenticator tools use different timesteps, but the validity of a code can range anywhere between 15 seconds to one minute. However, it’s not unusual for a TOTP to last longer – for example, several days.
If you don’t type in your unique authentication code during this timespan, the password resets and you have to input a new code. The time factor is the key aspect of a TOTP’s advantage in cybersecurity. Since the randomized passwords change so quickly, they are harder to target during attacks.
The most popular method to receive these codes is using TOTP authenticator apps. However, hardware tools like password generators can also be used to acquire authentication codes.
Regardless of the software or hardware you use to generate an OTP, the outcome is the same. If a person has MFA enabled on an account, they receive a timed passcode upon a login attempt and use it to verify their identity. Let’s use an example to see how it works in practice.
How does a TOTP work?
Let’s imagine that we’re using a TOTP authenticator to log into your Instagram account. For starters, you need to have two-factor authentication enabled on the app:
Go to your Instagram Accounts Centre.
Tap “Password and security.”
Tap “Two-Factor Authentication” and select your account.
Choose your preferred two-factor authentication method – for this example, an authentication app is the recommended option.
TOTP authentication is done using an app like Google Authenticator. When you add an account to this app using either a QR code or a setup key, you can select whether you want the codes to be time-based or counter-based. In this case, select time-based.
Here’s how you log into your Instagram account using a time-based one time password:
Open your Instagram app.
Select “Log in.”
Input your username or email address and password. If you’ve forgotten your password, you can find a recovery guide here.
You’ll be prompted to enter your security key. Open your Google Authenticator app and copy the six-digit TOTP code.
Paste the code into the Instagram prompt.
Remember that the password resets every 15 seconds. If you run out of time, simply copy and paste the newly generated key.
The process is analogous on different apps. In many instances, you can also select to receive a text message with a limited time code or use a code generator device. This can be helpful if you’re experiencing network connectivity issues and cannot access the authentication app.
What is a HOTP?
In addition to TOTPs, there’s another popular type of one-time passwords – HOTPs. This form of one-time passwords has been around for nearly two decades, so it’s likely you’ve encountered it before.
We’ve got two acronyms to tackle here. The first is HOTP itself – it stands for “HMAC-based one-time password.” HMAC means “hash-based message authentication code.” So, to save ourselves a mouthful, we usually just refer to this password type as hash-based one-time passwords, or, even simpler, stick to the initial acronym.
Alternatively, HOTP is known as event-based or counter-based authentication. The event in question is the verification attempt. Unlike TOTPs that refresh at a specific interval, HOTPs are renewed each time you log into your account. So, as you log in, the counter increases to verify that a password was used and a new code is created.
HOTP tokens can also be refreshed manually. For example, if you use a counter-based code on your Google Authenticator app, you can tap the refresh button and receive a new code. This is a helpful feature in case of attacks – if a malicious party has acquired a HOTP, the victim can manually refresh it, deeming the breached code invalid.
In recent years, HOTPs have been slowly losing popularity in comparison to time-based one-time passwords due to security concerns. Although both are utilized as MFA measures, some institutions have started phasing out HOTPs in favor of TOTPs. Let’s take a look at the causes of this development and what the general differences between the two OTP types are.
HOTP vs TOTP: Differences and advantages
In terms of protection, both HOTP and TOTP are solid options. However, users may have different reasons to prefer one over the other, whether it’s due to technical innovation or personal preference.
HOTPs were first developed in 2005, with TOTPs following a few years later in 2008. Chronologically, this makes TOTP the next step in the OTP evolution. Nevertheless, both one-time password types are still in use.
In general, TOTP is considered more secure than HOTP due to the time variable. As you can imagine, it’s harder to acquire security codes when they refresh quickly, whereas a HOTP may go unused for weeks or even months in between your login authorizations. This is something to keep in mind when planning against potential data breaches.
Verifying a login attempt is often a time-sensitive matter. TOTPs can be challenging if you have a lagging device or connectivity issues. If the app you’re logging into freezes or your internet or broadband connection suddenly disappears or is interrupted, you’ll have to rush to input the code or wait for it to reset. This can get frustrating, especially with shorter timesteps.
Accessibility is another factor that can’t be overlooked. The speed at which TOTPs update is predetermined and usually can’t be adjusted by the users themselves. This makes timed passwords less accessible to people who may struggle with fine motor or cognitive skills. In that case, HOTP passwords can be more accommodating because the user has more time to input the code before it resets.
That said, HOTPs can experience validity issues as well. For example, if you keep refreshing the authenticator app, the counter may glitch and produce a code that will not read as valid, potentially preventing you from logging into an account for some time.
Let’s see an overview of the key differences between HOTP and TOTP:
Although the number of differences between the two types of one-time passwords isn’t huge, they’re pretty significant. As you can see, while TOTP is an improved version of one-time passwords in some aspects, it’s not the ultimate choice, and your personal needs may deem HOTPs to be a more favorable solution.
What are OTP bots and how can you evade them?
As with many security measures, nefarious parties work on ways to get around and compromise one-time passwords. Given the time factor and the number of potential password combinations, human intervention alone isn’t enough to bypass the OTP algorithms. So, this has led to the development of OTP bots.
OTP bots are automated programs that hackers use to extract one-time passwords and break down multi-factor authentication defenses. Hackers often use OTP bots in combination with social engineering strategies, relying heavily on the human error factor to succeed.
For example, a hacker may employ a phishing website, leading to the victim unknowingly revealing their login credentials. This data is then forwarded to the OTP bot that contacts the victim and convinces them to relay their one-time password. The hacker can then use this information to log into the account ahead of the victim and cause damage.
OTP bots tend to be more effective against users that rely on text messages to receive the unique code. In recent years, the use of SMS-based multi-factor authentication has been deprecated by multiple entities worldwide. For example, the US-based National Institute of Standards and Technology (NIST) advised the deprecation of SMS authentication back in 2016.
When it comes to TOTP and HOTP, the latter is more susceptible to attacks. If a victim is tricked into revealing a recovery code but doesn’t use it themselves, the hackers are given an opportunity to overtake the account. With TOTP passwords, it’s harder to fit into the limited time frame, making them more robust. It’s also unlikely that an expired TOTP password will be available in the future due to the huge number of potential alphanumeric combinations.
Since OTP bots are typically part of phishing attacks, the most effective way to not fall victim is to follow the standard social engineering prevention measures, like avoiding clicking on suspicious links and not revealing your login credentials to unknown parties. You should also make sure that the device you use to acquire your OTP codes is secure. If you’re using software and lose the device, you can usually lock and erase it remotely.
Do static passwords still matter with TOTP?
You might be wondering – since TOTP codes are a robust security layer, are static, run-of-the-mill passwords still relevant? Of course!
While one-time passwords are effective, they’re not impenetrable and work better as a supplementary security layer. Making sure that your first line of defense — your account password — is strong remains as important as ever.
NordPass Business can help you stay resilient and keep your accounts safe. The encrypted password vault is a one-stop solution for all your sensitive data, including your passwords, banking details, and more. For an additional layer of security, you can enable multi-factor authentication. NordPass MFA supports backup codes, security keys, and authenticator apps, including Google Authenticator and Authy.