How TOTP Secures Your Accounts: Theory, Applications, and Python Demo

TOTP Algorithm

Time‑Based One‑Time Password (TOTP) is a standard algorithm that generates short, time‑limited passwords for two‑factor authentication (2FA). It builds on the HMAC‑based OTP (HOTP) algorithm, replacing the counter with the current Unix timestamp and combining it with a shared secret.

How TOTP Works

The algorithm takes a pre‑shared secret key, applies a HMAC‑SHA‑1 function with the current time step (typically 30 seconds), and truncates the result to produce a 6‑digit code. Because the time step changes regularly, the same secret yields a different code every interval, providing a time‑sensitive verification mechanism.

Common Applications

Online Account Authentication

Web services such as email providers, social platforms, and banks integrate TOTP via mobile apps like Google Authenticator or Authy. Users enter the generated code in addition to their password during login.

VPN Access Control

Enterprises require a TOTP code when establishing a VPN connection, ensuring that only authorized users can reach internal resources.

Remote Desktop Access

Remote desktop clients can demand a TOTP code before establishing a session, adding a second authentication layer.

Authentication Apps

Apps like Google Authenticator and Authy themselves implement TOTP to generate codes for a wide range of online services.

Hardware Tokens

Physical devices (hardware tokens or smart cards) embed a clock and the TOTP algorithm, producing codes identical to those generated by mobile apps.

Python Implementation with pyotp

The pyotp library provides a simple interface for generating and verifying TOTP codes. Install it with pip install pyotp.

import pyotp
import time

totp = pyotp.TOTP('XFXXGRMELERZXQ7AQNF3UNF2OX56NOQ3')  # shared secret
val = totp.now()          # current 6‑digit code
print(val)

print(totp.verify(val))   # True – code is valid now
time.sleep(30)
print(totp.verify(val))   # False – code expired after 30 seconds

By default, pyotp uses a 30‑second time step; this interval cannot be changed directly.

Generating Secrets

Use pyotp.random_base32() to create a 32‑character Base‑32 secret compatible with Google Authenticator and other OTP apps. For hexadecimal‑encoded secrets, call pyotp.random_hex(), which returns a 40‑character hex string.

Conclusion

The author recounts personal experience with an older hardware token (“将军令”) that was eventually compromised, illustrating that even time‑based passwords can be vulnerable if the attacker obtains the shared secret.