TOTP

Jan 1, 0001

Definition

TOTP (Time-based One-Time Password) is a temporary passcode generated by an algorithm that uses the current time as an input. It is commonly used in two-factor authentication (2FA) systems to enhance security by requiring a second form of verification in addition to a password. The TOTP algorithm is defined in RFC 6238 and typically generates a new code every 30 seconds, which is valid for a short period to minimize the risk of unauthorized access.

Secure Settings Example

# Example configuration for a TOTP-based 2FA system
totp:
  issuer: "ExampleApp"
  algorithm: "SHA-256"
  digits: 6
  period: 30
  secret_length: 32
  enforce_2fa: true

Insecure Settings Example

# Example of insecure TOTP configuration
totp:
  issuer: "ExampleApp"
  algorithm: "SHA-1"  # Weaker algorithm
  digits: 4           # Insufficient length
  period: 60          # Longer period increases risk
  secret_length: 16   # Shorter secret length
  enforce_2fa: false  # 2FA not enforced

TOTP

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter