This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming Technical chat Dynamic token OTP, TOTP, and HOTP difference
View: 12357|Reply: 0

Dynamic token OTP, TOTP, and HOTP difference

[Copy link]
Posted on 7/25/2020 4:41:17 PM | | | |
Overview

Two-factor authentication (also known as 2FA) is a mechanism that combines two different authentication methods to authenticate users. In March 2011, Google announced the use of two-factor authentication online, followed by MSN and Yahoo.

In addition to verifying the username and password, two-factor authentication also requires the combination of another physical device, such as an RSA token or a mobile phone.
Two-factor certified products can be broadly divided into two categories:

Hardware devices that can generate tokens
Smartphone app

OTP

The password used in two-step verification is a one-time password (OTP), also known as a dynamic password. It is a strong authentication technology that uses cryptography technology to share keys between clients and servers, and is a very convenient technical means to enhance the current static password authentication, and is an important two-step verification authentication technology.

OTP is short for One-Time Password, which means one-time password. It is divided into the following two types:

HOTP (HMAC-Based One-Time Password Algorithm)

HOTP is a one-time password generated based on the HMAC algorithm, also known as dynamic password for event synchronization, which is an algorithm specification published by ITEF, and the pseudocode is as follows:



The client and server negotiate a key K in advance for the generation of a one-time password. The client and server each have an event counter C and synchronize the count values beforehand. Truncate is an algorithm that converts a 20-byte string generated by HMAC-SHA-1 into several decimal digits.

TOTP (Time-Based One-Time Password Algorithm)

TOTP is an improved version of HOTP that uses time to replace HOTP's event counter C, also known as the dynamic cipher for time synchronization. Pseudocode:


T0 is the initial test time, which defaults to 0  
X is the time step, which defaults to 30 seconds
The official documentation gives a chestnut, assuming the current unix time = 59, T0 = 0, X = 30, then T=1
Assuming the current unix time=60, T0=0, X=30, then T=2
That is, the value of T is rounded down, and the decimal is discarded



From the above figure, we can see that there are two main elements of the input algorithm, one is the shared key (also known as the seed), and the other is the counting (or time factor), which is calculated by a specific algorithm. If both elements are consistent, the server-side and client-side will calculate the same result, enabling authentication functionality.





Previous:Angular 9 series (XII) generates dynamic tokens based on OTPs
Next:.NET/C# generates one-time passwords based on TOTP

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com