OTP – Time based One Time Password OTP – Time based One Time Password
Providing Awareness about Innovative Lesson Syllabus Implemented in Cyber Security Technologies in Information Technologies 5th MEETING London 25th MAY 2018 BUCKINGHAMSHIRE NEW UNIVERSITY TOTP... OTP – Time based One Time Password

Providing Awareness about Innovative Lesson Syllabus Implemented in Cyber Security Technologies in Information Technologies

London 25th MAY 2018

TOTP Conference

Autor: Gabriel Piñero (Telefonica – Cybersecurity Expert)

Introduction to 2FA

TOTP is used to protect digital identity with a second factor authentication in a service (Gmail, Dropbox, Paypal and many more) and gives us an alternative way to check digital identity.

In this way we have:

First factor: based on something we know – that is user and password of the account.

and a second factor: based on something we have, that is the token generated by TOTP application in the mobile phone (or text message).

For example:

If we want to protect our Gmail account and someone steals your password, the hacker will not be able to access your mail if we have activated the second factor authentication.

The hacker has a username and password but does not have the mobile phone to pass the second factor authentication.

TOTP as its name indicates is used to generate tokens, codes, passwords (…or whatever you want to call it) that are valid for a short time.

This codes are generated using an algorithm that computes a one-time password from a shared secret key and the current time

This algorithm is HMAC type that is based on using a hash function and a shared secret.

In the case of TOTP, it is HMAC-SHA1 (by default)

This way of generating the codes using hash (SHA1) and timestamp has been adopted as a standard IETF six two three eight.

Because the hash uses the timestamp the time is important and the NTP protocol is generally used to synchronize this time.

With the timestamp we add security to the code since it can not be remembered by the user (because it changes over time) and if it is stolen it will not be valid either.

Time is counted in what is called UNIX epoch time that measures the seconds elapsed since January 1, 1970

 There are many applications to generate TOTP codes that meet the standard:

  • Authy
  • Google Authenticator
  • Latch
  • LastPass

These applications are based on the IETF standard to generate the codes that will allow us to validate the second factor authentication.

The applications is not linked to the service (This is important)

For example you can use Authy to generate codes to Gmail account second factor authentication.

Any application based on the standard is valid to generate TOTP codes


Normally the configuration of two factor authentication is really simple

The service presents a QR code that is scanned with the mobile app and stored in the device.


The application understands this type of URI (OTP Auth)

Basically the application keeps a secret:


the name of the service:


and the user:


(It is also possible to configure other values such as the time window which by default is 30 seconds or the hash algorithm).

It may seem that there is communication between the service and the application to validate the codes but this is not true.

This QR code is the only thing they share and they follow the standard to generate the codes

As you can see in the image Gmail and Google authenticator do not need to communicate to know that the code is valid.

This is the really interesting thing the application generates the codes autonomously, it can work offline, and it doesn’t need internet connection

Last, If the code calculated by the application and the code calculated by the service are equals it permit access, is really simple.

As we can see in this example the code changes every 30 seconds (the default value)

POC – Python script

As proof of how TOTP works, we show below a code written in Python.

There are many libraries, not only in python, there are libraries for .NET, C, Java, PHP and other programming languages, it’s just an example

In the example we will use two libraries.

PyOTP to generate the codes and validate them.

PyQrCode to generate the QR code that the application understands to configure the service.


import pyotp
import pyqrcode

print ("--- Testing TOTP with python libraries \n\n")
print ('Generating OTPAuth QR Code in file otpauth_qr.png (scan it with your app)')

random_n = pyotp.random_base32()
totp = pyotp.TOTP(random_n)
qr = totp.provisioning_uri("gpinero@testing.com", issuer_name="TEST TOTP Python")
url = pyqrcode.create(qr)
big_code = pyqrcode.create(qr, error='L', version=27, mode='binary')
big_code.png('otpauth_qr.png', scale=6, module_color=[0, 0, 0, 128], background=[0xff, 0xff, 0xcc])
print ('-- Test TOTP code -- \n')

while loop:
	print ('TOTP code now is: '+ totp.now())
	totp_input = input("Input the app code (0 - to exit):")
	if totp.verify(str(totp_input)):
		print ('\n ## OK your code is valid !!!'+str(totp_input))
		print ('\n WRONG code, not is '+str(totp_input))
	if totp_input==0:
		print "Bye..."

Ok, its demo time

In the next video that we will see now, we checks how the python code generates a shared secret and write it using OTP Auth in a QR code.

Later we will open the image with the QR code and read it with a mobile application (Google Authenticator)

A new service will be added and we will check how the codes generated are valid

This is basically how a service like Gmail does when activating double factor authentication and how check it.


No comments so far.

Be first to leave comment below.

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image