Wednesday, April 19, 2017


The Time-based One-time Password (TOTP) algorithm is an IETF draft standard proposed by
OATH. It is based on a synchronized clock between the user and server.


◾ K: a shared secret between client and server
◾ T: an integer that represents the number of time steps between the initial counter time
T0 and the current Unix time, or POSIX time, i.e., the number of seconds elapsed since
the midnight Coordinated Universal Time (UTC) of January 1, 1970

The standard Unix time t, which is the data type that represents a point in time, is a signed integer data type of 32 bits. 32 bits, of which one bit is the sign bit, can cover a range of about 136 years
in total. The minimum time represented is 1901-12-13, and the maximum time represented is 2038-
01-19. In contrast, the Network Time Protocol, specified in RFC 1305, is the most commonly used
Internet time protocol, and the one that provides the best performance. Computers include NTP
client software in their operating systems and periodic synchronization is provided by Network
Time Protocol (NTP) servers, such as NTP servers use UDP on port 123. The 64-bit
timestamps used by NTP consist of a 32-bit seconds part and a 32-bit fractional seconds part, giv-
ing NTP a time scale of 232 seconds (136 years) and a theoretical resolution of 2−32 seconds (233
picoseconds). The NTP timescale wraps around every 232 seconds (136 years). NTP uses an epoch
of January 1, 1900, so the first rollover will occur in 2036, well before the familiar UNIX Year 2038.

 More specifically T = (Current Unix time – T0)/X

◾ X represents the time step in seconds (default value X = 30 seconds)
◾ T0, the Unix epoch, is the time 00:00:00 UTC on 1 January 1970 (or 1970-01-01T00:00:00Z
ISO 8601) to start counting time steps (default value is 0, Unix epoch)

Resynchronization of the clock is necessary because of possible clock drifts between a client and a validation server. It is recommended that the validator be set with a specific limit for the number of time steps that a verifier can be ‘out of synch’ before being not validated or rejected. This limit can be set both forward and backward from the calculated time step on receipt of the OTP value. If the time step is 30 seconds as recommended, and the validator is set to only accept 2 time steps backward, then the maximum elapsed time drift would be around 89 seconds, i.e., 29 seconds in the calculated time step and 60 for two backward time steps.
Chwan-Hwa (John) Wu
J. David Irwin

• TOTP - Time-based One-Time Password
• Use a secret key and the time of day
• Secret key is configured ahead of time
• Timestamps are synchronized via NTP
• Timestamp usually increments every 30 seconds
• Put in your username, password, and TOTP code
• One of the more common OTP methods
• Used by Google, Facebook, Microsoft, etc.
Professor Messer