John Jellema Watch: What is Time-based One-Time Password (TOTP)?
To understand the business and security value for TOTP (Time-based One-Time Passwords), we need to look at how the password has evolved over the years.
For a long time, we’ve been trained to use complex passwords, for example including capital letters, numbers and special characters. While this may have been the solution to account security in the past, I’m going to point out some faults in continuing this and a method to help move your service forward into a more secure future.
Password policies
To ensure good password management, companies are forcing users to renew their password every 3 months or so. This usually results in people reusing older iterations of their passwords or using the month/year in their passwords. Password management practices are not very secure!
Another option is to use a password manager. This will make sure that your passwords are better secured and not that easily accessible. But it’s just another way to write the password down, a current way to game the system and make it easier to access your accounts. The password manager still needs a master password. Remember, a hacker only needs to break the weakest link in the chain to get access to everything.
A passphrase instead?
A better option might be to use a password with many characters (be it letters, numbers or special characters). With longer passwords, even by stapling words after each other to create a sentence, you create a difficult password to decrypt but is easier to remember. This removes the need to write it down somewhere.
In fact, this idea isn’t new. NIST suggested an easy to remember long passphrase rather than hard to remember complex password way back in 2017! Have a look at the XKCD comic strip below – it helps to remove all the math jargon and make it easy to understand why a longer passphrase is better.
Source: xkcd.com/936
What about TOTP (Time-based One-time Passwords)?
While it is better to use long passphrases than complex passwords, there are additional ways to enhance the security of accounts. One of the most common methods is by using a Time-based One-time Password (TOTP). TOTP authentication solutions include physical tokens that rotate six-digit numbers or codes sent via SMS or to an authenticator app on your phone.
Utilising TOTP will give your accounts a second factor authentication method (2FA). Anyone trying to get access your account not only needs to know your username and password, but also needs to input a time-limited code. The code is issued uniquely to your device. In practice this means that the person that tries to get unauthorised access to the account either needs to be in possession of the device or get the account owner to give it to them.
More and more services are providing TOTP with applications that support the generation of the time-based code. If you use your Google, Microsoft or Apple account to sign onto more and more other services (known as BYOI, bring your own identity), securing this identity will become significantly more important.
Google Authenticator. Source: medium.com/@richb_
One of the most downloaded/utilised TOTP authenticator applications is the Google Authenticator. The setup is usually done through a QR code which the user scans on their phone to connect the account ‘secret’ to the device. When this is set up, the application starts generating random 6-digit TOTP codes based on the secret and the current timestamp (time of day). The secret is saved on the device remembering the timestamp, which eliminates the need for the device to have internet access to be able to generate the time-based password. Microsoft’s Authenticator and Apple’s two factor authenticators are similar.
In conclusion, an easy to remember longer passphrase is more secure than a shorter complex password. Combining 2FA in the form of TOTP will provide another much-needed layer of security.
Next steps – implement TOTP
Ubisecure CIAM solutions support TOTP Authenticators for SMS and virtual Multi-factor Authentication (MFA). Contact Us to learn more about TOTP and how your organisation can improve its password security posture.
About The Author: John Jellema
As VP Product Management, John is responsible for ensuring Ubisecure’s ongoing development of its Identity Platform, optimising the feature development while driving generational change across the IAM delivery platform. Since joining Ubisecure in 2017, John has refocused the cloud and on-premises delivered services to fulfil customer expectations across the Nordics.
Prior to joining Ubisecure, John worked for Verizon as a Global Security Product Manager, developing and managing its DDoS platform around the world. With more than 20 years experience in global product management, John is passionate about seamless technology integration. Standing on the shoulders of giants permits us to achieve greatness today and into the future.
More posts by John Jellema