Time-based One-time Password Algorithm

TOTP – Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor. A moving factor is a value that must be changed each time a new password is generated in order to ensure that a different password is always generated. So a password generated at 12:00:01 will be different than one generated at 12:00:31 even if other items used to generate it are the same. Note: the time difference only cares about intervals in 30 second amounts. So a password generated 12:00:01 will be the same as one generated at 12:00:15 and 12:00:29. TOTP is an Internet Engineering Task Force standard and a cornerstone of Initiative For Open Authentication (OATH).

Applications :

TOTP can be used to authenticate a user in a system via an authentication server. If some more steps are carried out, the user can also authenticate the validation server.

Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Google/Wordpress/Dropbox etc. accounts. Once enabled, it will require a six-digit security code in addition to your password whenever you sign in to your account or link a new computer, phone, or tablet.

It complements the event-based one-time standard HOTP and offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines.

Another layer of security for your account :

There is a number of steps we’re taking to add an extra layer of security for account users. Today i’d like to announce the two-step verification technology, a feature that will enhance the security of your account by requiring two levels of authentication: your password, and a security code that will either be texted to your mobile phone or generated by a mobile authenticator app (available for iOS, Android, Blackberry and Windows Phone 7).

What is it :

Two-step verification is one of several steps that we’re taking to enhance the security of your account. Turning on two-step verification is simple: go to the new Security label in your account settings and enable two-step verification in the “Account sign in” section.

Let me discuss here about DropBox security steps : You may also follows as showing below.
you will showing as follows :

Now, you successfully enabled two-step security steps. But , it’s quite difficult to access. That’s why, not everyone can bypass and even login it. A basic user even may gets confused, what it is while he/she thinks , hacked my password, because it can’t be opened without any mobile app as listed below. Don’t worry, technology has too complex so a few of app authenticator are listed as follows.

Several mobile apps are available that will generate a unique time-sensitive security code you can use to finish signing in to your account. Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including the following:

• Google Authenticator (Android/iPhone/BlackBerry)
• Duo Mobile (Android/iPhone)
• Amazon AWS MFA (Android)
• Authenticator (Windows Phone 7)

  Use text messages

  If you choose to receive your security codes by text message, you’ll need a phone capable of receiving text messages (carrier rates may apply). Whenever you successfully sign in to Dropbox using your password, a text message containing a security code will be sent to your phone. To enable this option:

  1. Select Use text messages during the two-step verification setup.
  2. Enter the phone number where you’d like to receive text messages.
     
  3. You’ll be sent a security code by text message. Verify your phone number and enable two-step verification by entering this code when prompted.

  To use one of these apps:

  1. Select Use a mobile app during the two-step verification setup.
  2. You can choose to either scan the barcode (if your app supports it) or click enter your secret key manually to be given a secret key you can type into the app.
     Scan the barcode or enter a secret key manually
  3. Once your app is configured, you’ll need to enter a security code generated by your authenticator app to verify setup and enable two-step verification.
     

     Public Server Implementations:(Technology used By… )

     • Google has implemented TOTP in its Google Authenticator which is the basis of its two-factor authentication.
     • Amazon Web Services also supports TOTP for AWS console logins using Amazon Virtual MFA or Google Authenticator.
     • Dropbox has enabled the technology for account access.
     • Evernote has enabled the technology for account access.
     • GitHub has enabled the technology for account access.
     • Gandi has enabled the technology for account access.
     • Linode has enabled the technology for account access.
     • LastPass also supports TOTP.
     • LinOTP is open source and supports various TOTP and HOTP client authenticators
     • multiOTP is an opensource PHP implementation for HOTP, TOTP, mOTP and other tokens. It can be used as a command line tool, integrated in a web site, as a web service, as a radius plugin, etc.
     • wordpress has enabled the technology for account access.
       
       Note:
       
       • Most apps will generate security codes even when cellular/data service is not available – useful when traveling or where coverage is unreliable.
       • This post covers the basic knowledge about the technology of security .