- What is TOTP?
- Why do we need it?
- How does it work (simplified)?
- Why is it secure?
- Attacks against TOTP
- Demo
- References
Time-based one-time password
TOTP is commonly used for Multi-Factor Authentication(MFA).
Step 1: pre-shared values * current time = new value
Step 2: Calculate Counter(Sliding Window/Offset)
Step 3: Generate HMAC SHA1 Hash
Step 4: Dynamic Truncation(6 or 8 digits)
- Offline - No internet required
- Replay Attack Resistance - rotates every 30 seconds
- Length is configurable(6-8 digits)
- Phishing/MITM: Proxy creds & TOTP to real server for session hijacking
- Code Interception: Malware/Spyware on device can intercept codes from TOTP apps
- Seed Exposure: Exposed Secret shared between server & client
- Time Traveler Attack: Allows an attacker w/ access to the TOTP device/hardware to generate a token for future time by changing hardware time.
go mod tidy
go build cmd/main.go
./main- Generate a secret by going to http://localhost:8080/setup
- Add secret to your authenticator app(Google Authenticator)
- Open Google Authenticator App
- Press the Add button(+) on the bottom right
- Press
Enter a setup key - Fill Fields
- App Name: TOTP-Demo
- Secret: Secret generated by the server
- Type of Key: Time-based
- Press Add
- Validate the TOTP
- Go to
http://localhost:8080/totp/{id}- Id: id shared by sever when generating the secret
- Compare TOTP generated by App vs Server, it should be the same
- If the TOTP are off check your time to ensure server and app have the same time(snyc)
Note
AI(Gemini) was used in writing part of the code.