A few weeks ago, I became curious about the one-time password algorithms and how two-factor authentication works behind the scenes with the various providers, i.e., Google Authenticator or OTP Yubikey. Nowadays, I believe everyone or almost everyone is using two-factor authentication (2FA). Two-factor authentication is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two authentication factors to verify the identity of someone that wants access to an online service.

A one-time password is a password of a specific length that is valid for only one login session. It is generated once, used once, and then it is discarded.

OTP generation algorithms

There are different algorithms used in one-time password generation. Some are:

• HOTP, which stands for HMAC based one-time password algorithm
• TOPT, which stands for Time-based One-Time password
• OCRA, which stands for OATH challenge-response algorithm
• Transmission based OTP

HOTP for dummies from a dummy

HOTP algorithm, which stands for HMAC based one-time password algorithm, was first published by OATH as RFC 4226 back in 2005. Usually, businesses give their customers a small electronic device that generates a number when they press a button. This number is the OTP password.

How does the HMAC algorithm works?

To understand how the HOTP algorithms, we need to visit and examine how HMAC works. HMAC stands for Hash-based Message Authentication Code and is used to verify the authenticity and integrity of data transmitted over insecure networks.

From Security 101, we know that authenticity ensures that the data are sent by the person claiming to have done so. Integrity is for ensuring that the data are not modified after being sent and were received intact.

The first step is to choose a cryptographic hash function, i.e., SHA-2 or SHA-3. HMAC uses hashing algorithms that are block ciphers, which means that they encrypt data in blocks. Depending on the selected algorithm, the data would be hashed in blocks of a specific size B, and a hash of size L will be produced. The next step is to generate a random secret key and securely share it among the two parties. The secret key should have a size between the block size B and the size of the hash L. Otherwise, it should be hashed using the chosen function.

The two keys of HMAC: Inner and Outer

The algorithm will produce two more keys from the secret key: the inner and the outer key. The inner key is generated by appending zeroes to the end of the secret key to make it of size B. Then, it will be performing the XOR operation with the byte 0x36 repeated B times. Similarly, the outer key is derived by appending zeroes to the secret key to make it of size B and then performing the XOR operation with the byte 0x5C repeated B times.

The actual work

The HMAC algorithm uses the above two keys to perform two passes of hash computation. It will append the actual data to the inner key and produce a hash of size L. This hash will be appended to the outer key and hashed again, making another hash of size L. The latter is the hash used to confirm the integrity and authenticity of the data. We should note that HMAC does not encrypt the data. The data should be sent along with the hash. The recipient can use the data they receive and the key they have, execute the above algorithm, and see if the produced hash matches their received code.

How does the HOTP use the HMAC?

HTOP requires two inputs. One of them is the secret key, which is shared between the server and the token. The second input is a counter, a variable stored on the server and the fob device. The server and the fob device are naturally synchronized. The fob’s counter scales up each time a code is generated, and the server counter scales up with each validated OTP. The HOTP is calculated by first creating an HMAC hash from the key and counter. The resulting output is shortened to 6 or 8 digits, which is the one-time password.

ΤOTP for dummies from a dummy

The time-based one-time password algorithm is an extension of the HOTP algorithm. It replaces the counter with the current time and ensures that the password generated is valid only for a specific time. TOTP vendors usually use a Unix timestamp to coordinate a universal time and avoid any problems with time zones. The code should be used within a particular time window of 30 seconds to handle time latency inconsistencies.

One-time password providers

Google Authenticator

Google authenticator mobile applications is a software-based token device, which implements two-step verification using both the Time-based One-time password algorithm and the HMAC-based one-time password algorithm. The secret key is communicated in the form of a QRCode encoded URI.

Yubikey & Yubico

Yubikey supports one-time passwords as well. An OTP from Yubico is a 44-character, one-use, 128-bit encrypted Public ID and Password. It consists of two major parts: the first 12 characters remain constant and represent the Public ID of the YubiKey device itself. The remaining 32 characters make up a unique passcode for each OTP generated. The Public ID of the Yubikey is generated and loaded on the YubiKey at production. Yubico can do this if you are using the YubiCloud, or by the user directly. It should also be shared with the validation server before it is used to produce OTPs. The validation server can be the Yubicloud or any other private validation server.

The generated one-time password has five fields:

• uid: a 6 bytes private id
• useCtr: a counter preserved even when the yubikey is not powered.
• tstp: the timestamp, a 24-bit field incremented with a rate of approximately 8 Hz
• sessionCtr: a counter initiated at zero every time at power-up.
• rnd: a 16-bit random number.

And is encrypted with a unique AES-128 bit key. The result is the 32 character mod hex string included after the 12 characters Public ID.

References:

• Yubico OTPs
• Google Authenticator
• RFC 6238
• RFC 4226