For the second part of the function, HOTP uses a counter, and this is shared by the server and the user. The problem with this is that the generated code remains valid until it is used. TOTP restricts this: the generated code can only be used within a defined time frame. How does this work?
For the time-based one-time password algorithm, there are three important formulas:
TOTP = HOTP(SecretKey,CurrentTime)
This basic formula simply defines that the TOTP is a HOTP procedure with two parameters – SecretKey and CurrentTime:
- SecretKey: Randomly generated password, known to both the server and the client
- CurrentTime: Current time in Unix time
However, this time value changes every second, which doesn’t leave the user long enough to enter the generated code. In other words, one second later, the TOTP is no longer valid, because the server has already generated a new hash value. A further formula is therefore required:
CurrentTime = floor((unixtime(now) – unixtime(T0))/T1)
The CurrentTime parameter is defined as follows:
- unixtime(now): Current time in Unix time
- unixtime(T0): Unix time at T0, the point from which the time steps are counted – in most cases midnight on January 1, 1970 (=0)
- T1: The period for which the TOTP will be valid (usually 30 seconds)
- floor: Rounding function to round the calculated value down to a whole number