Time-based One-Time Password (TOTP)

Typically, using the the TOTP as a second factor of authentication involves these steps:

1. Setup Phase:

   • User Enrollment: The user enables TOTP authentication for their account through a service or application. During the setup, the user typically scans a QR code provided by the service using a TOTP-compliant app, or they manually enter a secret key.

   • Secret Key: The service generates a random secret key, which is shared only between the service and the user. This secret key is used to generate time-based one-time passwords.

2. Authentication Phase:

   • Time-Based Algorithm: Both the service and the user's device use a time-based algorithm (usually HMAC-SHA1 or HMAC-SHA256) to generate a one-time password (OTP). This algorithm combines the secret key and the current time (usually in 30-second intervals) to create the OTP.

   • Synchronization: To ensure successful authentication, both the service and the user's device must be synchronized closely. They calculate the OTP using the same secret key and current time interval. If the calculated OTP matches, the user is granted access.

3. Login Process:

   • User Login: When the user attempts to log in, the service prompts them to enter the current OTP generated by their TOTP-compliant app.

   • Generating OTP: The user's device calculates the OTP based on the current time interval and the shared secret key.

   • Validation: The service also calculates the OTP using the same algorithm and checks if the provided OTP matches the calculated OTP. If they match and fall within an acceptable time window (usually a few minutes), the user is successfully authenticated.