← All writeups

The Genius of TOTP 2 Factor-Auth

The Secure Dance of Time and Secrets for Enhanced Security


Riki Phukon

· views

The Genius of TOTP 2 Factor-Auth post image


I recently enabled 2-factor authentication with Google Authenticator for most of my accounts. It implements multi-factor authentication services using the time-based one-time password (TOTP) and HMAC-based one-time password (HOTP) for authenticating users of software applications.

I was intrigued by how it works offline. So, I delved into it and was deeply impressed by the mechanics behind it. Consequently, I decided to write about it.

OG Image


The Genius of TOTP 2 Factor-Auth

While this article provides a glimpse into the fascinating world of TOTP 2-factor authentication, it’s important to note that the topic is vast and there’s much more to explore. In the interest of keeping this article concise, several aspects have not been covered, including various cryptographic algorithms, security protocols, and implementation nuances that play crucial roles in the successful deployment of TOTP for different services.

Must make you aware that I post on my personal site 3 days prior posting to Medium and other site.

The Biscuit

To understand the concept of 2FA, let’s take a trip back to 1981 during the Cold War era. President Ronald Reagan faced a critical security situation when he was shot, and the “Biscuit” — a plastic card containing secret codes for launching nuclear weapons — went missing temporarily.

Multi-factor auth

The Biscuit served as an example of multi-factor authentication, as it required “something you have” (the physical card), “something you know” (memorizing the correct code on the card), and “something you are” (surrounded by top-secret security infrastructure).


Multi-factor authentication is a security process that verifies your identity using two or more of the following factors:

  1. Something you know: This is typically a password or a Personal Identification Number (PIN). While passwords are widely used, they have their limitations, such as being susceptible to hacking and phishing attempts.

  2. Something you are: This involves biometric information, like fingerprints or facial recognition. Biometrics offer strong proof of identity but can’t be changed if compromised.

  3. Something you have: This factor includes physical objects like bank cards, tokens, or smartphones. The possession of these objects is used to confirm your identity.


The Time-based One-time Password (TOTP) algorithm is widely used for implementing 2FA. It generates time-based tokens and relies on a shared “seed” or “constant factor” between the user and the service provider.

Alongside this seed, a “moving factor” is employed, which is based on time. Commonly, the moving factor corresponds to the current time (UNIX time is used), and by combining the seed and the time, a unique token is produced. The token remains valid for a specific duration, typically around 30 seconds, after which it changes to a new value, providing a fresh password for each time interval.


Conversely, HOTP (HMAC-Based One-Time Password) is an event-based OTP algorithm. Similar to TOTP, it also relies on a shared “seed” or “constant factor” between the user and the service provider. However, unlike TOTP’s time-based moving factor, HOTP employs a counter as the moving factor. Every time the user generates a token, the counter increments, leading to a new and distinct token for each successive event, such as a login attempt. TOTP is HOTP with the counter value being time.


SHA1 is a cryptographic hash function that converts data into a fixed-length string of characters (40 characters in the case of SHA1). It has a critical property: even a minor change in the input results in a vastly different output. However, SHA1 is susceptible to a “length extension attack,” which could compromise its security.

To address this issue, the HMAC SHA1 algorithm was introduced. HMAC stands for “Hash-based Message Authentication Code,” and it enhances the security of the hash function by incorporating a secret key in the process.

TOTP Implementation

Algorithm The implementation of the TOTP algorithm involves several steps. First, the “secret” is decoded using the base32 algorithm. Why base32? It’s because our secret is supposed to be safe and therefore we use any character that ASCII encoding supports.

With ASCII encoding, we can write 256 different characters and that also includes control characters that are not possible to print with a normal keyboard.

So we use Base32 encoding that allows us to express any ASCII character with only 32 characters. (A to Z and 2 to 7)

The current time is then rounded to 30-second intervals using the Unix time format. This time value is converted into a hexadecimal number and passed to the HMAC SHA1 function along with the shared “secret”. The resulting hash is used as the time-based token.

To simplify the process for the user, the token is further reduced to a 6-digit code using dynamic truncation. The user is then required to enter this 6-digit code during the login process, which significantly improves usability while maintaining security.

QR Code for 2FA Activation

When enabling 2FA, users often use a QR code to set up the authentication method. This QR code contains all the necessary information for the TOTP algorithm, including the shared secret. Scanning the QR code with a mobile device’s camera quickly sets up the 2FA, making the process faster and more error-resistant.

← All writeups