How TOTP one-time passwords secure sensitive company data
Time-based one-time passwords (TOTP for short) add another component to logging in with a username and password and secure sensitive company data using two-factor authentication (2FA). But how do time-based one-time passwords actually work and what advantages does a hardware authenticator offer?
Whether business applications such as Microsoft 365, PC support via Teamviewer or VPN remote access to your own company network: simply entering a user name and password is no longer enough. Almost all online platforms therefore offer the option of protecting user accounts against misuse and identity theft with secure two-factor authentication (2FA). This variant of multi-factor authentication (MFA) uses, for example, a time-limited one-time password as an additional authentication factor alongside the user name and password.
What types of secure two-factor authentication are available
Companies can provide the additional authentication factor for a secure login via 2FA in a variety of ways. In addition to one-time passwords, which are generated by special TOTP generators or sent to servers by email, SMS or phone call, physical tokens such as smartcards and authentication keys can also be used to secure user accounts. The following six types of two-factor authentication are widely used:
- E-mail confirmation: The transmission of an additional one-time password by email is common, but not particularly secure. The problem: If attackers gain access to the email account via malware, for example, they also have access to the codes sent.
- SMS confirmation or call: Here, the user receives an additional one-time password for logging in via SMS or automated calls. The problem: Trojans can intercept the text message on the smartphone. There is also the threat of SIM swapping attacks.
- Time-based one-time passwords: A TOTP authenticator generates time-limited one-time passwords for logging in. The problem: Only hardware-based TOTP authenticators work without an internet connection and are not vulnerable online.
- Smartcards: Plastic cards with a security chip are similar to a bank card and offer good protection against password theft. The problem is that smartcards require corresponding readers and are almost exclusively used in the enterprise sector.
- Physical authentication keys: With this variant, the user has to insert a special USB stick and press a button on it when logging in. The problem: even widely used online services do not yet offer this method of authentication.
- Recovery codes: Here, the user receives ten one-time passwords as backup codes to print out. The problem is that these codes are not intended for daily use, but as a backup in case the actual two-factor authentication does not work.
The various two-factor authentication methods can also be combined. For example, companies have the option of enabling their employees to use physical authentication keys such as Yubikey as well as 2FA login via TOTP one-time passwords. In this way, employees can still access their account with a TOTP generator even if they lose their physical key.
How time-based TOTP one-time passwords work in 2FA
Due to the security shortcomings of two-factor authentication via SMS or email and the entry barriers of smartcards and physical authentication keys, company-internal online platforms and most online services primarily use time-based one-time passwords (TOTP). This is a method of generating one-time passwords (OTP) that are valid for a limited period of time on the basis of a shared secret. This cryptographic method was developed by the cross-industry initiative For Open Authentication (OATH) and published as RFC 6238 by the Internet Engineering Task Force (IETF) in July 2011.
At its core, TOTP, which as an open standard is free of patents, is based on a cryptographic hash function (HMAC). This calculates a hash value from the current time and a previously agreed secret key. However, this one-time password is only valid for 30 seconds, so the sender and receiver must have sufficiently accurate clocks. So much for the theory. In practice, converting a user account to secure two-factor authentication with TOTP works something like this:
- Generate shared secret: With the help of a cryptographically secure random generator, the server of the online service generates a secret key. This shared secret is stored on the server and is unique for each user account.
- Set up the TOTP authenticator: To configure a TOTP authenticator, the online service provides the user with the secret key. The data is usually transferred via QR codes that can be scanned directly with the authenticator.
- Generate one-time password: During log-in, the user’s TOTP authenticator calculates a password with six or eight characters. After transmission, the server compares this password with the hash value generated by it using the shared secret.
As a TOTP authenticator, the user usually uses a software solution on their smartphone or desktop PC. Alternatively, a standalone, hardware-based TOTP generator without an internet connection also works – and this is much more secure, especially in corporate use.
A comparison of software and hardware solutions for TOTP passwords
When it comes to software solutions for TOTP passwords, Google Authenticator and Microsoft Authenticator are certainly among the best-known authenticator apps. However, there are also alternatives such as Authy from Twilio or the open source applications Aegis Authenticator, andOTP and FreeOTP(+). Even password managers such as KeePass, LastPass or 1Password now support two-factor authentication via TOTP. These applications often also work in flight mode without an existing internet connection. Nevertheless, such software solutions harbor a residual risk. For example, the Android banking malware Cerberus, whose source code is freely available in underground forums, now also allows two-factor authentication codes to be tapped, according to the security experts at Kaspersky.
On the other hand, hardware-based TOTP generators offer the highest level of security in day-to-day business. They store the secret TOTP keys in their own hardware, work without an internet connection and therefore cannot be attacked online. Some devices also offer integrated PIN protection. In the event of loss, such a security function effectively protects against misuse, as it only allows the authenticator to be used after the PIN has been entered. If the PIN is entered incorrectly several times, the device is usually reset to factory settings and all keys and accounts are deleted from the device.
The exact time plays an important role for all types of TOTP authenticators. Depending on the implementation, online services tolerate slight deviations in the time on the user’s TOTP authenticator. However, if the deviation is too large, the log-in will fail. While apps use the Network Time Protocol (NTP) to synchronize the time via the Internet, hardware-based TOTP authenticators have sufficiently accurate clocks to calculate one-time passwords. And in many cases, this can result in regular follow-up costs for companies.
Due to time deviations in the internal real-time clock, hardware solutions with a built-in battery can often only be used for two years to provide TOTP passwords. In contrast to many competing products, which require the device to be replaced due to the battery life, the REINER SCT Authenticator can be precisely synchronized again via the integrated camera after the three AAA batteries have been replaced, for example. Using a patented QR camera process, the manufacturer also uses the Authenticator’s camera to change the language setting or time zone and to install firmware updates with new functions and enhancements. While other hardware solutions can sometimes only be used for a single 2FA account, REINER SCT has used this method to provide a firmware update that allows the device to manage 60 accounts instead of the previous ten. This is sustainable and reduces procurement and support costs.