LOGBOOK

HELP

Quiz Entry - updated: 2026.06.01

How does a TOTP (Time-based One-Time Password) login work, and what's the formula?

Token displays OTP = f(key, current_time_window) that changes every ~30 seconds. User types both their password and the current OTP. Server computes the same and compares.

The flow:

  1. User enters password → 1. password to server.
  2. Token (RSA SecurID, Google Authenticator, etc.) shows a number — say 359702 — derived from a shared secret key and the current time bucket.
  3. User types the OTP → 2. TOTP to server.
  4. Server, knowing the shared key, computes the expected TOTP for the current time window and compares.

The formula: OTP = HMAC(key, T) truncated to 6 digits, where T = floor(current_time / 30 seconds).

Why time-based:

  • No need for a back-channel between token and server — the "challenge" is just the wall clock.
  • Server typically accepts the previous, current, and next time window to tolerate small clock drift.

Strengths and weaknesses:

  • Strength: the secret never travels; old OTPs are useless 30 s later.
  • Weakness: no transaction binding — the OTP says only "I'm here right now", not "I authorise transferring CHF 5000 to account X". A man-in-the-browser can hijack the session after the OTP is consumed.

Tip: Google Authenticator, Authy, 1Password, and most "authenticator apps" implement RFC 6238 (TOTP).

From Quiz: ISF / Access Control | Updated: Jun 01, 2026