TOTP second factor authentication solution

A lower cost and reliable alternative to SMS based OTP solutions

Most banking apps today use SMS-based OTP for second-factor authentication. Besides the delay during peak times, SMS-based solutions are susceptible to social engineering attacks. RBI recently advised banks to move away from SMS-based OTP for payments because of rising fraud.

Time-based OTP (TOTP) is a better alternative. It uses a separate authenticator app such as Google Authenticator. The solution involves a two-step process.

Setup: This is a one-time activity. It can be facilitated via a QR code generated from your server. When the user scans this QR code using her Google Authenticator app, your server will share a secret key to the Google Authenticator app. The Google Authenticator app will store this shared key.

Authentication: When the user logs in and gets to the second-factor screen, Google Authenticator will use the shared key and a time counter derived from the current time to generate a six-digit token using the HMAC algorithm. This token will be displayed on the screen. Your user copies it from Google Authenticator and submits it to your server. Your server now computes the token using the shared secret and the time counter based on server time. If the process completes in 30 seconds, the tokens should match, resulting in a successful second-factor authentication.

Besides the customer-facing apps, organizations can also use TOTP on employee/partner apps. While some effort may be put into training your users, it may be worthwhile as it is low-cost and much more reliable than SMS-based OTP.