HOTP vs. TOTP….. Which really comes on top?
Before we get into the technical know-hows and use extremely complicated technical jargon, it's important that we know about the fundamentals or the basics of what TOTP and HOTP are. So let’s break it down into each section and then take a look at which reigns supreme or is it all the same.
Before getting into what these are, both TOTP and HOTP are used for authentication.
Mainly in the most simple analogy, authentication is used to determine whether someone or something is, in fact, who or what it says it is. Or to simply prove their identity when making requests just like how they would check your passport when you go to the airport to verify if you are the person you claim to be.
So before diving into to see which is better, first let understand what OTP’s are and how they really work and what is this huge commotion about OTP authentication.
Currently, Multi-Factor Authentication, or MFA is a buzzing area of practice in the domain of IAM. With the evolution of technologies and their integrations, authentication has become a topic of mass importance. And with that, OTP and OTP authentication methods have become a head ringer as a subdomain of MFA.
What is an OTP?
One Time Password or commonly known as OTP is a password that we use for the authentication of users which generally consist of a string of numeric or alphanumeric characters. Normally issued as a one-time password for a single login session or transaction. Or in simple terms, an OTP is like a one-way journey ticket to a place you cannot reuse to re-enter.
Serving as a more secure alternative to static passwords, OTP is a safer option than user-created passwords that either are too weak or more prone to be compromised due to being reused across multiple accounts/devices.
OTP’s work on a shared secret basis between the user’s OTP application and the authentication server. When specific conditions exist, such as authenticating a new account or proving a transaction is legitimate, the OTP has evolved into the industry standard mechanism used by logins all over the world.
Using the Hashed Message Authentication Code (HMAC) technique with a moving variable, such as event counters or time-based data, one-time password values are created with a life span of minutes for increased security and are commonly delivered through channels like SMS-based text messages, email or even a dedicated application on the endpoint itself.
Day-to-day examples of the usage of OTP would be activating baking transactions, recovering lost passwords, or even when activating multi-factor authentication (MFA).
Pros and Cons of OTP
The advantages and disadvantages of OTP can be seen as below,
As mentioned OTP comes with a great set of better security and for more safer authentication compared to the conventional user defined static passwords that are usually weak or repeated across multiple accounts and are more prone to being compromised.
Although on the other hand there are a few compromises that come with OTP’s such as the failure or the breaking of the tokens, the arrival of the OTP validation already expired when arriving to the user or even the whole process of generating the OTP can be a little cumbersome.
HOTP and TOTP are some of the OTP authentication methods and we will dive into the comparison and the final verdict after understanding a little on what both HOTP and TOTP are.
Now that the fundamentals are covered on what an OTP is and how it works, let's finally get into what HOTP and TOTP are.
What is a HOTP?
Before we talk about what HOTP is we need to talk a little about what HMAC is and what does it and the role that it plays when it comes to HOTP.
Hash-based Message Authentication Code (HMAC) is a cryptographic authentication technique that uses hash function and a secret key.
In common terms HMAC authenticates and verifies the integrity of the data with shared secrets.
For HMAC to work there are two different parts which is cryptographic keys and the hash function or the algorithm and the participating parties have to agree on the shared key and the algorithm that will use.
For example if the potential message is “I would like to buy 100 units” and the secret key is 666 and the agreed hashing algorithm to use was the MD5 then the resulting message would be as “ fd9f18089206e67b163771a3883185ab” when subjected through HMAC
Now let's finally look at what HOTP is. HMAC One Time Password or HOTP is an event-based OTP which relies on 2 parts, namely the secret key called the “seed” and the moving factor which is a counter for HOTP.
The “seed” is a secret key that is only known by the token and the server that validates the submitted OTP codes on at the token initialization. Whereas the counter is something that is stored in the token and on the server as well. The counter on the token is incremented every time the button on the token is pressed but the counter in the server is only incremented when the submitted OPT is validated successfully.
Pros and Cons of HOTP
When talking about the advantages and disadvantages of HOTP’s, we can break it down into a tabular format such as below,
HOTP is not limited to a expiration time hence this adds some flexibility for the user to enter the code whenever they choose to. But, this also can make HOTP vulnerable as it is configured to expire only after a successful authentication validation. So in an instance where the user has not entered the code for some time since generation, then it is highly vulnerable to be compromised as the code is still valid until a successful authentication validation.
Since HOTP uses an event based OTP algorithm, it is not confined to time limitations. This can be highly desirable when there is a need of enhanced security for longer periods of time over the time based OTP algorithms which are short lived.
Since event based counter is applicable for the token and the server, if in case the button on the token is spammed, then the calculation of values from the server can become misaligned with the values displayed on the token hence a desynchronization between the token and the server can occur. As a countermeasure the validation window of the server can be extended to accept all the previous and subsequent OTP’s but this will make increase the risk of compromise through attempting to brute force all the possible OTP values through the validation window created on the serve side.
Phew…….. well that was a bit to take in. Let’s get into what TOTP is and then we can compare on what is better.
What is a TOTP?
Time-based Open Time Password or TOTP replaces the event based moving factor in HOTP with a time base moving factor. So instead of a counter you would find a time factor.
TOTP uses a simple rule for the increments in the moving factor. This is known as a “timestep”. Usually a timestep tends to be 30 to 60 seconds long where the generated OTP will be valid for that particular timestep. The timestep is usually calculated by dividing the current Unix time against the timestep value which is either 30 or 60.
TOTP is in general is an extension of HOTP. Apart from the calculation of the time moving factor with the timestep and the current Unix time, the other process of generating the OTP in a TOTP is the same as the code generation process of HOTP.
TOTP codes are generated utilizing the Time-Based One Time Password algorithm explained in the RFC 6238
Pros and Cons of TOTP
The best way to get an overall summary of TOTP is to look at the upsides and downsides of TOTP,
TOTP is more secure due to its moving factor being time as the expiration on the timestep is only 30s to 60s depending on the configured preference. Along with that, the flexibility it provides through giving the options of various tokens such as being dedicated for both hardware and software tokens lets integration into software avoid the external costs of additional requirements of hardware and other logistical specifications.
Even though TOTP does not explicitly require any connectivity into the internet, although unlikely, TOTP can be prone to real time phishing attacks even thought being secure in circumstance such as where an attacker can impersonate the system that is requesting the code and then use valid credentials retrieve to infiltrate the the real system. This can also happen in middle man attack scenarios through social engineering where the attacker and sniff the code within the flowing traffic.
TOTP is very lightweight meaning that integration can be don without any additional hardware or other logistical requirements and hence to make it work all you need is to have an authentication application on the needed devices but because of that TOTP is also very device dependent as the code generated is only through having the authentication app on each device.
The usage of a shared secret or seed is not the general recommended method of security practice that is followed in the industry. A seed cannot be hashed or provided in a cryptographic salt hence it is stored as a plain text on the provider’s server therefore making the shared secret of all TOTP generators of all the users under the sole control of the provider. Therefore, any compromise into the provider database of the passwords and shared secrets means the attacker can populate the codes without the user knowing.
Alright since we know a little on what HOTP and TOTP is, let’s compare and come into a verdict of which really is the better OTP authorization method and why. So without further ado lets get it started.
Comparison
While both are far more secure than not using MFA at all, there are limitations and advantages to both HOTP and TOTP.
The more subsequent OTP method, TOTP, is simpler to implement, offers more flexibility for OTP delivery, and keeps your company more secure. But it’s crucial to remember that there could be time-drift because the system is time-based (the lag between the password creation and use). For instance, there is a potential that the TOTP will expire if it is not inputted immediately. If this occurs, the server must take note of it and make sure the user can attempt again without getting immediately locked out.
HOTP is a little more user-friendly because it doesn’t have a time-based limitation, but it might be more vulnerable to brute force attacks. This is as a result of a HOTP validity window that may be extended. By including a time-based component in their programming, some varieties of HOTP have addressed this issue and slightly muddled the distinction between these two kinds of OTP.
The potential for OTP token and server desynchronization is one of the problems with HOTP’s event counter. The value displayed on the OTP token will not match the value determined by the server if a user spams the button on the token. The server must accept a number of prior and subsequent OTP values to get around this restriction. A validation window is created by each valid OTP value because of this. The bigger the validation window, the higher the chance that a hostile actor will successfully brute force every OTP value and gain access to the user’s account. By including the timestep, TOTP resolves the desynchronization and eliminates the validation window. One OTP value is valid at a time, and the time counter is calculated in the same way every 30 or 60 seconds.
Final Verdict
Purely from a security standpoint, TOTP is clearly preferred over HOTP. In order to minimize any impact on users, the validating server must be able to handle any potential time-drift with TOTP tokens.
Since only one TOTP code is active at once, it is less hackable than HOTP. Additionally, TOTP is more secure than HOTP because the TOTP codes change every 30 or 60 seconds.
Using an OTP generator, such as a key fob or authenticator app, is a safer way to use MFA than SMS texting solutions, regardless of the OTP type you employ. Whether it be through SIM card fraud or another sort of attack that gives them access to your texts, scammers have come up with inventive techniques to intercept these SMS codes. SMS-based MFAs are far less secure than utilizing a key fob code generator or having an authenticator app on your phone, however they may be preferable than using no MFA at all.
Not everyone will be a good fit for TOTP 2FA. Other forms of 2FA, including USB keys, may be advantageous for businesses that deal with extremely sensitive assets. However, TOTP can be the best option for enterprises with little budgets that still wish to secure their identities and IT resources.
All in all, the HOTP vs TOTP question has a clear answer. TOTP is much more secure than HOTP because it uses the underlying HOTP algorithm while introducing changes that improve security. There is no reason to use HOTP instead of TOTP. The only exception is old systems that do not support Unix time.
And that wraps it up for this article everyone. Hope you’ll learnt something out of this and take an interest to explore more into the domain of IAM.
As always, keep shining and stay tuned for lots more exciting stuff coming your way. Continue to work hard, stay curious, and dare to try something new or learn something new every day. Look out for one another and keep rocking.
This is your friendly neighborhood UX/UI junkie signing off. See you next time. Peace ✌️
