https://DevOpsCloud.io -- Cloud Monk Losang Jinpa, Ph.D., MCSE/MCT, GitOps DevOps Engineer

Return to RFC 4949 Internet Security Glossary, Authenticator, MFA, java.net.Authenticator, Lastpass Authenticator, Microsoft Authenticator, Google Authenticator, Yubico Authenticator, Password management, Password fatigue, Authentication, Personal identification number (PIN), Password, Password manager, Single signon, MFA-2FA, Microsoft Hello, Apple Face ID, Facial recognition, Biometric authentication, Iris recognition, Retinal scan, Eye vein verification, Recognition, Fingerprint recognition

Return to Security-Related RFCs, Network Security, Container Security - Kubernetes Security, Cloud Security, Web Security, DevSecOps

See: 6239 on datatracker.ietf.org

RFC 6239 is a technical standard that defines the use of HOTP (HMAC-based One-Time Password) and TOTP (Time-based One-Time Password) algorithms within the IETF framework for generating one-time passwords (OTP). The document specifies the guidelines and recommendations for using these algorithms in secure authentication systems. The goal is to enhance security protocols by ensuring that passwords are only valid for a short duration, minimizing the risk of compromise.

The RFC 6239 standard is built on the principles set out in previous RFCs, such as RFC 4226, which defined the HOTP algorithm. By extending these principles to include time-based parameters, RFC 6239 provides a robust solution for dynamic password generation. This dynamic aspect helps mitigate many of the security weaknesses associated with traditional, static password systems.

A key component of RFC 6239 is the specification of the TOTP algorithm, which relies on synchronized time between the client and server. This method of password generation eliminates the need for counters, as used in HOTP, by introducing a time factor, which adds an extra layer of protection. This time synchronization is central to the effectiveness of TOTP as a means of ensuring that passwords remain valid for a limited time frame, reducing the window for potential attacks.

Another important aspect of RFC 6239 is its focus on backward compatibility with RFC 4226. Systems that implement the HOTP algorithm can transition to TOTP without significant modifications, which is a key advantage in terms of adoption. This flexibility allows organizations to integrate time-based authentication methods into existing systems with minimal disruption.

The RFC 6239 standard also addresses the issue of interoperability between different systems. By providing a common framework for TOTP and HOTP implementation, it ensures that various systems can work together seamlessly, regardless of the underlying infrastructure. This interoperability is critical for organizations that rely on multi-factor authentication across diverse platforms.

Security is at the heart of RFC 6239. The document emphasizes the importance of using strong cryptographic algorithms such as SHA-1, SHA-256, and SHA-512 in conjunction with HOTP and TOTP. These algorithms provide the necessary cryptographic strength to protect the integrity of the one-time passwords generated under the standard.

RFC 6239 also highlights the importance of secure key management in the context of TOTP and HOTP usage. The standard recommends best practices for generating, storing, and managing secret keys, which are essential for the secure operation of these algorithms. Without proper key management, the security of the entire system could be compromised, rendering the one-time passwords ineffective.

Another critical feature of RFC 6239 is its support for a wide range of devices. The standard allows for the implementation of TOTP and HOTP on various platforms, including mobile devices, hardware tokens, and software-based solutions. This flexibility ensures that the standard can be applied in a variety of contexts, making it accessible to a broad spectrum of users and use cases.

The scalability of RFC 6239 is another key consideration. The standard is designed to support large-scale deployments, making it suitable for organizations of all sizes. Whether it’s used for securing online services, protecting internal networks, or authenticating users in a multi-factor authentication environment, RFC 6239 provides a reliable and scalable solution.

Finally, RFC 6239 includes a set of recommendations for ensuring the proper implementation of the TOTP and HOTP algorithms. These recommendations cover aspects such as clock synchronization, secret key length, and the use of fallback mechanisms in case of time drift or synchronization issues. By following these guidelines, organizations can ensure that their authentication systems remain secure and effective.

In conclusion, RFC 6239 plays a vital role in enhancing the security of authentication systems by defining the use of TOTP and HOTP algorithms. Its backward compatibility with RFC 4226, focus on interoperability, and support for various devices make it a flexible and scalable standard. Security remains at the core of the standard, with strong cryptographic recommendations and best practices for key management. The emphasis on dynamic password generation using time-based factors ensures that one-time passwords remain valid for only a short period, reducing the risk of attacks. Ultimately, RFC 6239 provides a comprehensive framework for implementing secure one-time password systems across a wide range of applications and platforms. For further information, you can refer to the full document on the IETF website at https://tools.ietf.org/html/rfc6239.

Snippet from Wikipedia: Authenticator

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

Using the terminology of the NIST Digital Identity Guidelines, the party to be authenticated is called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates possession and control of one or more authenticators to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Creative Commons Attribution-Share Alike 4.0

Internet Engineering Task Force (IETF)D. M'Raihi

Request for Comments 6238 Verisign, Inc.

Category: InformationalS. Machani

ISSN: 2070-1721

Diversinet Corp.

M. Pei, Symantec

J. Rydell, Portwise, Inc.

May 2011

This document describes an extension of the One-Time Password (OTP) algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm, as defined in 4226 | RFC 4226, to support the time-based ]moving factor. The HOTP algorithm specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security.

The proposed algorithm can be used across a wide range of network applications, from remote Virtual Private Network (VPN) access and Wi-Fi network logon to transaction-oriented Web applications. The authors believe that a common and shared algorithm will facilitate adoption of two-factor authentication on the Internet by enabling interoperability across commercial and open-source implementations.

This document is not an Internet Standards Track specification; it is published for informational purposes.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the ]IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6238.

M'Raihi, et al.Informational[Page 1]

RFC 6238 HOTPTimeBasedMay 2011

Copyright Notice

Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction …………………………………………….2 1.1. Scope ………………………………………………2 1.2. Background ………………………………………….3 2. Notation and Terminology ………………………………….3 3. Algorithm Requirements ……………………………………3 4. TOTP Algorithm …………………………………………..4 4.1. Notations …………………………………………..4 4.2. Description …………………………………………4 5. Security Considerations …………………………………..5 5.1. General …………………………………………….5 5.2. Validation and Time-Step Size …………………………6 6. Resynchronization ………………………………………..7 7. Acknowledgements …………………………………………7 8. References ………………………………………………8 8.1. Normative References …………………………………8 8.2. Informative References ……………………………….8 Appendix A. TOTP Algorithm: Reference Implementation ……………9 Appendix B. Test Vectors ……………………………………14

1. Introduction

1.1. Scope

This document describes an extension of the One-Time Password (OTP) algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm, as defined in [RFC4226], to support the time-based moving factor.

M'Raihi, et al.Informational[Page 2]

RFC 6238 HOTPTimeBasedMay 2011

1.2. Background

As defined in [RFC4226], the HOTP algorithm is based on the HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an increasing counter value representing the message in the HMAC computation.

Basically, the output of the HMAC-SHA-1 calculation is truncated to obtain user-friendly values:

HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))

where Truncate represents the function that can convert an HMAC-SHA-1 value into an HOTP value. K and C represent the shared secret and counter value; see [RFC4226] for detailed definitions.

TOTP is the time-based variant of this algorithm, where a value T, derived from a time reference and a time step, replaces the counter C in the HOTP computation.

TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].

2. Notation and Terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].

3. Algorithm Requirements

This section summarizes the requirements taken into account for designing the TOTP algorithm.

R1: The prover (e.g., token, soft token) and verifier (authentication or validation server) MUST know or be able to derive the current Unix time (i.e., the number of seconds elapsed since midnight UTC of January 1, 1970) for OTP generation. See [UT] for a more detailed definition of the commonly known “Unix time”. The precision of the time used by the prover affects how often the clock synchronization should be done; see Section 6.

R2: The prover and verifier MUST either share the same secret or the knowledge of a secret transformation to generate a shared secret.

R3: The algorithm MUST use HOTP [RFC4226] as a key building block.

M'Raihi, et al.Informational[Page 3]

RFC 6238 HOTPTimeBasedMay 2011

R4: The prover and verifier MUST use the same time-step value X.

R5: There MUST be a unique secret (key) for each prover.

R6: The keys SHOULD be randomly generated or derived using key

derivation algorithms.

R7: The keys MAY be stored in a tamper-resistant device and SHOULD be

protected against unauthorized access and usage.

4. TOTP Algorithm

This variant of the HOTP algorithm specifies the calculation of a one-time password value, based on a representation of the counter as a time factor.

4.1. Notations

o X represents the time step in seconds (default value X = 30 seconds) and is a system parameter.

o T0 is the Unix time to start counting time steps (default value is 0, i.e., the Unix epoch) and is also a system parameter.

4.2. Description

Basically, we define TOTP as TOTP = HOTP(K, T), where T is an integer and represents the number of time steps between the initial counter time T0 and the current Unix time.

More specifically, T = (Current Unix time - T0) / X, where the default floor function is used in the computation.

For example, with T0 = 0 and Time Step X = 30, T = 1 if the current Unix time is 59 seconds, and T = 2 if the current Unix time is 60 seconds.

The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038. The value of the system parameters X and T0 are pre-established during the provisioning process and communicated between a prover and verifier as part of the provisioning step. The provisioning flow is out of scope of this document; refer to [RFC6030] for such provisioning container specifications.

M'Raihi, et al.Informational[Page 4]

RFC 6238 HOTPTimeBasedMay 2011

5. Security Considerations

5.1. General

The security and strength of this algorithm depend on the properties of the underlying building block HOTP, which is a construction based on HMAC [RFC2104] using SHA-1 as the hash function.

The conclusion of the security analysis detailed in [RFC4226] is that, for all practical purposes, the outputs of the dynamic truncation on distinct inputs are uniformly and independently distributed strings.

The analysis demonstrates that the best possible attack against the HOTP function is the brute force attack.

As indicated in the algorithm requirement section, keys SHOULD be chosen at random or using a cryptographically strong pseudorandom generator properly seeded with a random value.

Keys SHOULD be of the length of the HMAC output to facilitate interoperability.

We RECOMMEND following the recommendations in [RFC4086] for all pseudorandom and random number generations. The pseudorandom numbers used for generating the keys SHOULD successfully pass the randomness test specified in [CN], or a similar well-recognized test.

All the communications SHOULD take place over a secure channel, e.g., Secure Socket Layer/Transport Layer Security (SSL/TLS) [RFC5246] or IPsec connections [RFC4301].

We also RECOMMEND storing the keys securely in the validation system, and, more specifically, encrypting them using tamper-resistant hardware encryption and exposing them only when required: for example, the key is decrypted when needed to verify an OTP value, and re-encrypted immediately to limit exposure in the RAM to a short period of time.

The key store MUST be in a secure area, to avoid, as much as possible, direct attack on the validation system and secrets database. Particularly, access to the key material should be limited to programs and processes required by the validation system only.

M'Raihi, et al.Informational[Page 5]

RFC 6238 HOTPTimeBasedMay 2011

5.2. Validation and Time-Step Size

An OTP generated within the same time step will be the same. When an OTP is received at a validation system, it doesn't know a client's exact timestamp when an OTP was generated. The validation system may typically use the timestamp when an OTP is received for OTP comparison. Due to network latency, the gap (as measured by T, that is, the number of time steps since T0) between the time that the OTP was generated and the time that the OTP arrives at the receiving system may be large. The receiving time at the validation system and the actual OTP generation may not fall within the same time-step window that produced the same OTP. When an OTP is generated at the end of a time-step window, the receiving time most likely falls into the next time-step window. A validation system SHOULD typically set a policy for an acceptable OTP transmission delay window for validation. The validation system should compare OTPs not only with the receiving timestamp but also the past timestamps that are within the transmission delay. A larger acceptable delay window would expose a larger window for attacks. We RECOMMEND that at most one time step is allowed as the network delay.

The time-step size has an impact on both security and usability. A larger time-step size means a larger validity window for an OTP to be accepted by a validation system. There are implications for using a larger time-step size, as follows:

First, a larger time-step size exposes a larger window to attack. When an OTP is generated and exposed to a third party before it is consumed, the third party can consume the OTP within the time-step window.

We RECOMMEND a default time-step size of 30 seconds. This default value of 30 seconds is selected as a balance between security and usability.

Second, the next different OTP must be generated in the next time- step window. A user must wait until the clock moves to the next time-step window from the last submission. The waiting time may not be exactly the length of the time step, depending on when the last OTP was generated. For example, if the last OTP was generated at the halfway point in a time-step window, the waiting time for the next OTP is half the length of the time step. In general, a larger time- step window means a longer waiting time for a user to get the next valid OTP after the last successful OTP validation. A too-large window (for example, 10 minutes) most probably won't be suitable for typical Internet login use cases; a user may not be able to get the next OTP within 10 minutes and therefore will have to re-login to the same site in 10 minutes.

M'Raihi, et al.Informational[Page 6]

RFC 6238 HOTPTimeBasedMay 2011

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

6. Resynchronization

Because of possible clock drifts between a client and a validation server, we RECOMMEND that the validator be set with a specific limit to the number of time steps a prover can be “out of synch” before being rejected.

This limit can be set both forward and backward from the calculated time step on receipt of the OTP value. If the time step is 30 seconds as recommended, and the validator is set to only accept two time steps backward, then the maximum elapsed time drift would be around 89 seconds, i.e., 29 seconds in the calculated time step and 60 seconds for two backward time steps.

This would mean the validator could perform a validation against the current time and then two further validations for each backward step (for a total of 3 validations). Upon successful validation, the validation server can record the detected clock drift for the token in terms of the number of time steps. When a new OTP is received after this step, the validator can validate the OTP with the current timestamp adjusted with the recorded number of time-step clock drifts for the token.

Also, it is important to note that the longer a prover has not sent an OTP to a validation system, the longer (potentially) the accumulated clock drift between the prover and the verifier. In such cases, the automatic resynchronization described above may not work if the drift exceeds the allowed threshold. Additional authentication measures should be used to safely authenticate the prover and explicitly resynchronize the clock drift between the prover and the validator.

7. Acknowledgements

The authors of this document would like to thank the following people for their contributions and support to make this a better specification: Hannes Tschofenig, Jonathan Tuliani, David Dix, Siddharth Bajaj, Stu Veath, Shuh Chang, Oanh Hoang, John Huang, and Siddhartha Mohapatra.

M'Raihi, et al.Informational[Page 7]

RFC 6238 HOTPTimeBasedMay 2011

8. References

8.1. Normative References

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, “HMAC: Keyed-

 Hashing for Message Authentication", RFC 2104,
 February 1997.

[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate

 Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,

 "Randomness Recommendations for Security", BCP 106,
 RFC 4086, June 2005.

[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and

 O. Ranen, "HOTP: An HMAC-Based One-Time Password
 Algorithm", RFC 4226, December 2005.

[SHA2] NIST, “FIPS PUB 180-3: Secure Hash Standard (SHS)”,

 October 2008, .

8.2. Informative References

[CN] Coron, J. and D. Naccache, “An Accurate Evaluation of

 Maurer's Universal Test", LNCS 1556, February 1999,
 .

[RFC4301] Kent, S. and K. Seo, “Security Architecture for the

 Internet Protocol", RFC 4301, December 2005.

[RFC5246] Dierks, T. and E. Rescorla, “The Transport Layer Security

 (TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC6030] Hoyer, P., Pei, M., and S. Machani, “Portable Symmetric

 Key Container (PSKC)", RFC 6030, October 2010.

[UT] Wikipedia, “Unix time”, February 2011,

 .

M'Raihi, et al.Informational[Page 8]

RFC 6238 HOTPTimeBasedMay 2011

Appendix A. TOTP Algorithm: Reference Implementation

/**
Copyright (c) 2011 IETF Trust and the persons identified as
authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, is permitted pursuant to, and subject to the license
terms contained in, the Simplified BSD License set forth in Section
4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
*/

/**
 * This is an example implementation of the OATH
 * TOTP algorithm.
 * Visit www.openauthentication.org for more information.
 *
 * @author Johan Rydell, PortWise, Inc.
 */

public class TOTP {

 private TOTP() {}

 /**

 private static byte[] hmac_sha(String crypto, byte[] keyBytes,
byte[] text){

Mac hmac;
hmac = Mac.getInstance(crypto);
SecretKeySpec macKey =
 new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey);
return hmac.doFinal(text);

throw new UndeclaredThrowableException(gse);

 }

 /**

 private static byte[] hexStr2Bytes(String hex){

ret[i] = bArray[i+1];

 }

 private static final int[] DIGITS_POWER
 // 0 1  23 4  56 7  8
 = {1,10,100,1000,10000,100000,1000000,10000000,100000000 };

 /**

 public static String generateTOTP(String key,
String time,
String returnDigits){

 }

 /**

 public static String generateTOTP256(String key,
String time,
String returnDigits){

 }

 /**

 public static String generateTOTP512(String key,
String time,
String returnDigits){

 }

 /**

 public static String generateTOTP(String key,
String time,
String returnDigits,
String crypto){

time = "0" + time;

((hash[offset] & 0x7f) << 24) ]] | [[
((hash[offset + 1] & 0xff) << 16) ]] | [[
((hash[offset + 2] & 0xff) << 8) ]] | [[
(hash[offset + 3] & 0xff);

result = "0" + result;

 }

 public static void main(String[] args) {

 1234567890L, 2000000000L, 20000000000L};

System.out.println(

"------------------+--------+--------+");
System.out.println(