Monday, December 4, 2023

How TOPT Works: Generating OTPs Without Internet Connection


Have you ever wondered how authentication apps like RSA Authenticator generate One-Time Passwords (OTPs) without requiring an internet connection? This fascinating technology is made possible through Time-Based One-Time Passwords (TOTP). In this article, we will explore the mechanics of TOTP, its security features, and why it doesn't rely on the internet at the client-side for generating OTPs.

Understanding TOPT

1. TOPT in a Nutshell

TOPT, or Time-Based One-Time Password, is a security feature designed to enhance the authentication process. It generates OTPs that are only valid for a short period, typically 30 seconds. TOPT uses a secret key, often shared between the server and the user's device, to generate these OTPs. The central idea is to provide a second factor of authentication, beyond just a static password, to strengthen security.

2. The RSA Authenticator App

One popular example of a TOPT implementation is the RSA Authenticator app. This app is commonly used for two-factor authentication and generates OTPs even when the device is offline. So, how does it work?

The Inner Workings of TOPT

1. Secret Key and Initialization

When setting up TOPT on a device, the user and the authentication server share a secret key. This key is securely stored on both sides and is crucial for generating the OTPs. The server also maintains a counter that increments every 30 seconds.

2. Time-Step and Hashing

To generate an OTP, the device combines the secret key with a time-step value. This time-step value is derived from the current time, typically using Unix time (the number of seconds since January 1, 1970). The resulting value is then hashed, often using the HMAC-SHA1 algorithm.

3. Presentation of OTP

The resulting hash is typically a 160-bit value, which is then truncated to obtain a 6 to 8 digit OTP. The truncation involves taking a subset of bits from the hash. The number of digits and the specific bits selected are implementation-dependent.

4. Rolling Code

The server, which is aware of the current time and the shared secret key, can perform the same process to generate an OTP. If the generated OTP matches the one presented by the user, access is granted.

Advantages of TOPT

1. Offline OTP Generation

One of the major advantages of TOPT is that it does not require an internet connection to generate OTPs. The algorithm is based on a predefined time-step, allowing the device and the server to independently generate OTPs at the same time. This is particularly useful when an internet connection is unavailable, ensuring users can still access their accounts securely.

2. Enhanced Security

TOPT significantly enhances security because the OTPs are time-bound and change frequently. Even if an attacker intercepts an OTP, it will be invalid within seconds, reducing the risk of unauthorized access.

TOTP: A Special Case of TOPT

1. What is TOTP?

TOTP, or Time-Based One-Time Password, is a specific implementation of TOPT. It uses the current time as the input for generating OTPs. TOTP ensures that OTPs are synchronized between the device and the server, allowing for secure authentication even when offline.

2. TOTP in Action

In TOTP, the user and the server share a secret key. The device and the server independently generate OTPs based on the current time. The time-step is typically set to 30 seconds, ensuring that OTPs remain valid for a short period.


TOPT, and specifically TOTP, play a crucial role in modern authentication systems. They provide an additional layer of security by generating time-bound OTPs, without requiring an internet connection at the client-side. This capability ensures that even when internet access is unavailable, users can still access their accounts securely. The use of secret keys and time-based calculations makes TOPT a robust and widely adopted security feature, strengthening the overall security of online services.

No comments:

Post a Comment

How TOPT Works: Generating OTPs Without Internet Connection

Introduction Have you ever wondered how authentication apps like RSA Authenticator generate One-Time Passwords (OTPs) without requiring an i...