![]() ![]() Since both the system and the app will produce the exact same number during the 30-second window, they would be producing the same TOTP code and thus, the user can be authenticated. This shows 52,912,219 30-seconds have elapsed since the epoch. Thus, if we divide the value we obtained in our example by 30 seconds and floor it, we get 52912219. This shows 1 30-second duration has elapsed since the epoch, which is correct. ![]() To know the number of 30 seconds that have elapsed, we need to floor this value. If we assume 58 seconds have elapsed since the Unix epoch, dividing 58 by 30 is going to give us 1.933. Flooring the divisionĪfter doing the division, it is important that we floor the obtained value to the largest integer less than or equal to the output of the division. Now, we can divide this by 30000 (since getTime() returns milliseconds) to get the number of 30 seconds that have elapsed since the Unix epoch. For instance, JavaScript’s getTime() method of the Date object can give you the number of milliseconds that have elapsed since the Unix epoch. Most programming languages can actually give you the milliseconds or seconds that have elapsed since the Unix epoch. Now, we need to divide it by 30 seconds to find out how many 30 seconds have elapsed since the Unix epoch. Doing so gives us 50 years, 3 months, 19 days, 7 hours, 9 minutes, 48 seconds. So, we need to first find out how much time has elapsed since the Unix epoch by subtracting the Unix epoch from the current time. Here, the last Z shows that it is the GMT time. Let’s see how this works by considering an example. But how can this window be implemented? This is done by deducting the Unix epoch from the current Unix time and dividing it by the window duration. So, a code is supposed to be entered into the system within 30 seconds of its generation. Therefore, it is important that there exists a window of time. Which means the time input into the HMAC algorithm by the app will differ from the time the system enters. However, there will be an obvious latency between the user’s authenticator app generating the code and the system receiving the code. If the system can produce the same code, it then successfully authenticates the user. Since it is a hash, the system needs to provide the exact same input to produce the same code. The authenticated, whenever asked to present the OTP code, uses the shared secret key and the current time as inputs to the HMAC algorithm to produce a hash which is then truncated to produce the code. Here, the authenticator and the authenticated share a secret key between each other. This not only ensures that the OTP generated is valid only for a certain amount of time but it also greatly reduces the problem of synchronization in HOTP. TOTP extends HOTP by replacing the counter that is incremented with the current time. This counter is incremented over time by the algorithm in such a way that both the authenticating system and the code generator, which is often a hardware token, have their counters in sync with one another. The HOTP algorithm uses HMAC to hash together a secret key and a counter. You can learn more about the HMAC algorithm here. The HMAC algorithm takes in a secret key and data and hashes them twice to produce a hash. To explain HOTP briefly, HOTP uses the HMAC algorithm to generate a hash which is then truncated to produce a number containing a certain number of digits, which is usually six. Therefore, to understand TOTP, an understanding of HOTP is necessary. This is merely an extension of HOTP which stands for HMAC-based One-Time Password. If so, how is this possible? Well, this is made possible by TOTP authentication which stands for Time-based One-time Password authentication. But have you ever wondered how an online service is able to check if the code generated by an app on your mobile phone is correct or not? No, the app and the online service don’t talk to one another over the internet. Unless you have been living under a rock, you would be very used to authenticating yourself using an authenticator app on your mobile phone. Give us your email address and whenever I write something, you'll receive a little email in your inbox.Email Address
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |