Skip to main content
HashnodeSoftDevs Blog

Command Palette

Search for a command to run...

What is TOTP? Understanding Time-based Security

Published
4 min read
What is TOTP? Understanding Time-based Security
A
Akhilesh Malthi

I am a student trying to learn and grow. Engineering/Developing things is dopamine for me.

In this article, we will explore what TOTP actually is, see it in action during a security breach, and then dismantle the clock-based mathematics that makes it work.

What is TOTP?

TOTP stands for Time-based One-Time Password. It is an algorithm that generates a temporary, unique password which is valid only for a short period (typically 30 seconds).

Unlike traditional passwords, which are static (they remain the same until you change them), TOTP is dynamic. It relies on two fundamental factors working in harmony:

  1. The Shared Secret: A unique key exchanged between you and the server during setup (usually via that QR code).

  2. The Current Time: A universal clock that both your device and the server can access independently.

This combination creates a "rotational" security layer. Even if a hacker intercepts your code right now, that code will be useless in half a minute.

Working of TOTP (Using a Real World Scenario)

To truly understand the value of TOTP, let's look at a classic "Phishing Attack" scenario. Imagine you receive a convincing email looking like a security alert from GitHub, leading you to a fake login page.

Scenario A: The Breach (Without TOTP)

In this world, your security relies entirely on your static password.

  1. The Attack: You enter your username and password on the fake site. The hacker captures them.

  2. The Execution: The hacker immediately takes these credentials to the real GitHub login page.

  3. The System Check: The system asks, "Does this password match the database?" -> YES.

  4. The Result:Total Account Compromise. The hacker has full access to your account.

Scenario B: The Defense (With TOTP)

In this world, you have enabled 2FA.

  1. The Attack: The hacker captures your username and password on the fake site.

  2. The Execution: They navigate to the real GitHub login page and enter your credentials.

  3. The First Barrier: The password is correct.

  4. The Second Barrier: The system pauses. It recognizes 2FA is enabled and asks: "Please enter the 6-digit code from your authenticator app."

  5. The Failure: The hacker is stuck. They have your "Knowledge" (password), but they do not have your "Possession" (the physical phone generating the current code).

  6. The Result:Account Secure. The login attempt is blocked.

The Time Component: How Synchronization Works

This is the technical "magic." How do your phone and the server agree on the code without communicating? They use Unix Epoch Time and Integer Division.

The Math

The algorithm divides time into fixed windows (usually 30 seconds). The formula looks like this:

$$Counter = \\lfloor \\frac{Current\\\_Time - T\_0}{Interval} \\rfloor$$

  • Current_Time: The current Unix timestamp (seconds since Jan 1, 1970).

  • Interval: 30 seconds.

  • Floor Function ($\lfloor ... \rfloor$): This rounds the result down to the nearest whole number.

Let's trace it second-by-second:

  • At Time = 900s: $900 / 30 = 30.0$. The counter is 30.

  • At Time = 915s: $915 / 30 = 30.5$. The floor function drops the decimal. The counter is still 30.

  • At Time = 929s: $929 / 30 = 30.9$. The counter is still 30.

  • At Time = 930s: $930 / 30 = 31.0$. The counter changes to 31.

Because the "Counter" input remains constant for 30 seconds, the resulting hash (the 6-digit code) remains constant.

Implementation in Python

We can simulate this logic to generate valid TOTP codes from scratch using Python.

import time
import math
import hmac
import hashlib
import struct

def get_totp_token(secret, interval=30):
    # 1. THE TIME (T)
    # Get Unix time and divide by 30 to get the counter
    current_time = time.time()
    counter = math.floor(current_time / interval)

    # Convert counter to bytes (8 bytes, big-endian) for the hash function
    counter_bytes = struct.pack(">Q", counter)

    # 2. THE SECRET (K) & THE HASH (HMAC)
    # Encode secret to bytes if needed
    key_bytes = secret.encode('utf-8')

    # Create the HMAC hash using SHA1
    hmac_hash = hmac.new(key_bytes, counter_bytes, hashlib.sha1).digest()

    # 3. DYNAMIC TRUNCATION (Getting the 6 digits)
    # Take the last 4 bits of the hash to determine offset
    offset = hmac_hash[-1] & 0x0f

    # Extract 4 bytes starting from the offset
    code_binary = struct.unpack(">I", hmac_hash[offset:offset+4])[0]

    # Mask to ignore the sign bit
    code_binary = code_binary & 0x7fffffff

    # Modulo 1,000,000 to get the last 6 digits
    token = code_binary % 1000000

    # Pad with zeros if necessary (e.g., '123' becomes '000123')
    return str(token).zfill(6)

# --- Simulation ---
my_secret = "MySuperSecretKey123"

print(f"Secret Key: {my_secret}")
print(f"Current Token: {get_totp_token(my_secret)}")
print("Wait 30 seconds and run again to see it change!")

Conclusion

TOTP is a perfect example of elegant system design. By combining a shared secret with a quantized version of universal time, we create a security layer that is robust, offline-capable, and incredibly difficult to bypass.

The next time you enter that 6-digit code, you know exactly what’s happening.

#security#totp#otp#authentication#google-authenticator#microsoft-authenticator-app#securityawareness#cybersecurity

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

S

SoftDevs Blog

5 posts