What is OTP, HOTP, TOTP in 2FA ?

One time or one-time password (OTP) is usually a string of randomly generated digits that works for one login or transaction bank only. OTPs are the best protection against common hacks.
One time passwords (OTPs) are an authentication method commonly used as part of two-factor identification (2FA) or multi-factor authentication (MFA) that can help balance these needs. OTPs are unique passwords that are only valid for a single login session for a defined period of time.

What is Two-Factor Authentication?

Two-factor authentication (2FA) is the simplest and most effective tool to provide a secure layer of authentication on top of the login credentials. After the users enter their credentials, they need to verify their identity using an independent factor (email, SMS, security questions, social profile, etc.). The use of these protocols restricts suspicious login attempts to access the system, even if someone maliciously accesses the consumer’s password.

What is Multi-Factor Authentication (MFA)?

MFA is best choice for multi-layered access environment across users, devices, cloud, and on-premise applications. MFA is an authentication system that requires a user to provide more than two forms of identity verification before allowing access to a network or application.

MFA is usually considered safer than 2FA as it provides the most layers of security against cybercriminals.

“Two factor authentication (2FA) authenticator apps, using a Time-based One-time Password Algorithm (TOTP), are the industry recommended approach for 2FA. 2FA using TOTP is preferred to SMS 2FA.” (Recommended from Microsoft).

I don’t know for sure the reason. But I think the main reason is SMS mobile protocol is not secured or non-encrypted network. I guess so. And in the concept of MFA, SMS is not really what you have.

Anyway, HOTP (HMAC based OTP algorithm) or TOTP (Time-based OTP) is algorithm that used for 2FA or MFA.

OATH HOTP-compatible tokens generate OTPs that do not have an expiration period. And we have already come to the conclusion that this creates a major security vulnerability. TOTP passcodes, on the other hand, have the advantage of being valid for a limited time period — the time step. So if the generated pass is not used within the 30-60 seconds it expires and can not be used for login.

The validation for TOTP code is a bit different from HOTP. The authentication server will check if the code is within a certain window of the current time (window time frame, it may multiple of time step) typically a few minutes. If its within that window its allowed, to prevent code reuse the server will save the code of the last utilized code and require any subsequent login attempt to use a code after that time.

%d bloggers like this: