Skip to main content

Sunday, April 7, 2024

· 5 min read

TOTP application

TOTP stands for Time-Based One-Time Password. It's a form of two-factor authentication that generates a unique, temporary password that is used along with a regular password for added security. TOTP codes are usually generated by mobile apps or hardware tokens.

Here's how a TOTP application typically works:

  1. Setup: Initially, you'll need to set up two-factor authentication on the service or platform you want to secure. This usually involves enabling TOTP authentication and scanning a QR code or entering a secret key into your TOTP application.

  2. Generating Codes: Once set up, the TOTP application (such as Google Authenticator, Authy, or Microsoft Authenticator) will continuously generate new, time-based codes. These codes are typically 6 to 8 digits long and change every 30 seconds or so.

  3. Authentication: When logging into the service or platform, you'll be prompted to enter a TOTP code along with your regular password. You'll retrieve the current code from your TOTP application and enter it within the allotted time window.

  4. Validation: The service or platform will then validate the code you entered against the expected code generated by their system. If they match, you'll be granted access.

  5. Continuous Use: Every time you log in, you'll need to provide a new TOTP code from your application. This adds an extra layer of security because even if someone were to obtain your regular password, they wouldn't be able to access your account without the TOTP code.

Remember, it's important to keep your TOTP application and the device it's installed on secure to prevent unauthorized access to your accounts. Additionally, it's a good idea to have backup methods of authentication in case you lose access to your TOTP application or device. This might include backup codes provided by the service or platform, or alternative authentication methods like SMS or email verification.

TOTP URI scheme

The text "otpauth://totp" typically serves as a URI scheme used to represent TOTP (Time-Based One-Time Password) parameters in a standardized format. This format is commonly used for sharing TOTP configuration data between applications, such as when setting up two-factor authentication on a new device.

otpauth://totp/Example:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA256&digits=6&period=30

Following "otpauth://totp", there is typically additional information encoded in the URI, including:

  1. Label: This identifies what the TOTP code is for, such as the name of the service or account.
  2. Issuer (Optional): This specifies the provider or issuer of the TOTP code.
  3. Secret: This is a unique secret key used to generate the TOTP codes.
  4. Algorithm (Optional): This specifies the algorithm used to generate the codes, usually HMAC-SHA1, HMAC-SHA256, or HMAC-SHA512.
  5. Digits (Optional): This specifies the number of digits in the generated TOTP codes, typically 6 or 8.
  6. Period (Optional): This specifies the time period (in seconds) for which a TOTP code is valid, usually 30 seconds.
  7. Counter (Optional): This is an alternative to the time-based approach, specifying a counter value for generating TOTP codes.

This URI would be interpreted by a TOTP-compatible application to set up a TOTP configuration for an account named "Example" belonging to "alice@example.com". It specifies a secret key, SHA-256 algorithm, 6-digit codes, and a 30-second period.

You can use this URI to easily configure a TOTP application by scanning a QR code or manually entering the information into the app. This helps streamline the setup process for two-factor authentication on various platforms.

How TOTP application generate TOTP codes?

TOTP application has no need to know the issuer ip address.

The TOTP application just use URI (otpauth://TOTP/...), as the URI contains all the necessary information for the TOTP application to generate TOTP codes.

Here's a simplified explanation of how you can generate TOTP codes based on the shared secret:

  1. Convert the secret from base32 encoding: The secret provided in the URI (JBSWY3DPEHPK3PXP) is typically base32 encoded. You'll need to decode it to its raw binary form.

  2. Determine the current time: TOTP codes are time-based, so you need to determine the current time in the same time unit as specified in the URI (30 seconds in this case). This is typically Unix time (number of seconds since January 1, 1970).

  3. Calculate the counter: The counter value is derived from the current time divided by the time period specified in the URI. This represents the number of time steps that have occurred since the TOTP epoch.

  4. Hash the counter with the secret: Use the HMAC-SHA algorithm (specified in the URI) to hash the counter value with the shared secret. This produces a hash value.

  5. Extract the dynamic truncation offset: TOTP uses a dynamic truncation offset to extract a 4-byte dynamic binary code from the hash. This offset is determined by the last 4 bits of the hash value.

  6. Generate the OTP: Take the dynamic binary code and convert it to a numeric code. This is usually done by taking the last 6 or 8 bits of the dynamic code and converting it to a decimal number.

  7. Format the OTP: If necessary, format the OTP code to the specified number of digits (6 digits in this case).

Here's an example implementation in Python using the pyotp library:

import time
import base64
import hmac
import hashlib
import struct
import pyotp

uri = "otpauth://totp/Example:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA256&digits=6&period=30"

# Parse URI to extract parameters
params = pyotp.parse_uri(uri)
secret = base64.b32decode(params["secret"])
digits = params["digits"]
period = params["period"]

# Generate TOTP code
epoch = time.time()
counter = int(epoch) // period
counter_bytes = struct.pack(">Q", counter)
hash_value = hmac.new(secret, counter_bytes, hashlib.sha256).digest()
offset = hash_value[-1] & 0x0F
dynamic_code = struct.unpack(">I", hash_value[offset:offset+4])[0] & 0x7FFFFFFF
otp = str(dynamic_code % (10 ** digits)).zfill(digits)

print("TOTP code:", otp)

This code snippet demonstrates a basic TOTP code generation process. However, it's essential to use a trusted library for generating TOTP codes in production scenarios due to security implications. The pyotp library is widely used and reputable for this purpose.