Totp Authentication

With companies like Google, Dropbox and Amazon adopting TOTP, it would be a good idea to understand what it is, and how it works.


First a quick introduction to the One Time Pad on which TOTP is based. A One Time Pad is a large sequence of random numbers used to encrypt communications between two parties, it also comes with some heavy restrictions on its usage.

On the upside OTP is information theory secure, which means that if applied correctly it is proveably unbreakable. However the list of restrictions on it’s usage often make it impractical to use. Reducing the size of the list is one of the primary benefits of TOTP, although it comes with some security reduction.


TOTP is an acronym for “Time based One Time Password”, and like the One Time Pad it is meant to produce passwords that are only used a single time. However, it doesn’t have the same draw backs as OTP.

The protocol starts with a secret shared between the communicating entities. This is a sequence of numbers that is usually only 64 bytes, which is less than 140 digits (base 10). Once the two parties have shared the secret, they generate single use passwords to authenticate themselves to each other. The password generation algorithm is fairly straight forward:

That’s it. It’s fairly straight forward (see the RFC for more details).

Earlier I mentioned that TOTP is less secure that OTP, there are several reasons for this. I’ve tried to cover the major ones, but the list is by no means exhaustive as new attacks on cryptography are discovered all the time.

Previously: RSS