6.3.1.22. TOTP

The TOTP token is - together with the HOTP Token - the most common token. The TOTP Algorithm is defined in RFC6238. The TOTP token is a time based token. Roughly speaking the TOTP algorithm is the same algorithm like the HOTP, where the event based counter is replaced by the unix timestamp.

The TOTP algorithm has some parameter, like if the generated OTP value will be 6 digits or 8 digits or if the SHA1 or the SHA256 hashing algorithm is used and the timestep being 30 or 60 seconds.

The TOTP token implements the authenticate mode. With a suitable challenge_response policy, it may also be used in the challenge mode.

6.3.1.22.1. Hardware tokens

The information about preseeded token and seedable tokens is the same as described in the section about HOTP Token.

The only available seedable pushbutton TOTP token is the SafeNet eToken Pass. The Yubikey can be used as a TOTP token, but only in conjunction with a smartphone app, since the Yubikey does not have an internal clock.

6.3.1.22.2. Software tokens

6.3.1.22.2.1. Experiences

The Google Authenticator and the FreeOTP token can be enrolled easily in TOTP mode using the QR-Code enrollment Feature.

The Google Authenticator is available for iOS, Android and Blackberry devices.

6.3.1.22.3. Enrollment

Default settings for TOTP tokens can be configured at TOTP Token Config.

The enrollment is the same as described in HOTP Token. However, when enrolling TOTP token, you can specify some additional parameters.

../../_images/enroll_totp.png

Enroll an TOTP token