Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
midia212021-07-12 09:16:53
PHP
midia21, 2021-07-12 09:16:53

How does one time password work on TOTP?

There was a task to make authentication by SMS. For these purposes, I decided to use a time-based one-time password (TOTP) and a PHP library - Spomky-Labs / otphp. While I'm playing with it, in order to understand the essence of the work, I wrote a code for testing:

$otp = TOTP::create('ggg');
echo $otp->verify($_GET['code']);
echo $otp->now();
echo '
    <form action="index.php" method="GET">
        <input name="code" type="text">
    </form>
';


There are a couple of things I don't understand:

1) How does the TOTP algorithm work? I understand correctly that it takes secret (in this case "ggg") and calculates the password for each period of time, something like:
12 minutes 0 seconds - password 234567
12 minutes 30 seconds - password 534234

2) Do I understand correctly that knowing secret, you can calculate what the password will be at some time in the future, for example at 16:40

3) And the last third question. I noticed that the password changes regardless of the time the script is run. If you leave the default password validity period (30 seconds), it will change at 12:30, 13:00, 13:30, 14:00 ....
That is, if the user requests a password at 13:59, he will not have 30 seconds on input and only one second. How can this be dealt with?

Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
K
Konstantin Tolmachev, 2021-07-12
@dark_tke

Answers to questions 1 and 2 are correct . Answers to questions
3 are not. If one-time TOTP passwords are used, it is assumed that the user has a mobile application that gives him keys and shows how long this password will be valid.
For SMS authentication, TOTP is not the best option
If you need an understanding of the algorithm https://habr.com/ru/post/154229/

Report
R
rPman, 2021-07-12
@rPman

That is, if the user requests a password at 13:59, he will not have 30 seconds to enter, but only one second. How can this be dealt with?
check not only the password for the current time, but also for 30 seconds ago, so that the previous one works, but be careful, there are (albeit far-fetched) cases when the password time is up to date and the code from the past cannot be allowed ..

Similar questions
W
WebforSelf2021-03-23 23:45:26
How to start server after centos 7 backup, vestacp? 3Reply
H
Healis2022-01-16 18:03:19
How to apply a gradient to an image so that the gradient does not go beyond the edges? 2Reply
D
deadmemoras2016-06-18 10:28:34
Work abroad without experience? 10Reply
T
thehighhomie2018-11-30 12:28:13
Plugin to generate PDF from JavaScript? 4Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question