3

I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP on this topic. You can create passwords with TOTP for future time windows, but it can then be used for the whole time window over and over. This is not an OTP. I also think that TOTP is not intended for this purpose. With HOTP the password can only be used once, but at any time. Basically I am looking for a combination of TOTP and HOTP. Additional information: It has to be possible to use different codes for the same time window. Is there an established way of doing this (with or without xOTP)?

earthling
  • 151
  • 3
  • 1
    Why do you think that TOTP means that the OTP can be used multiple times? Why can't you track whether or not it has been used? – schroeder Nov 12 '19 at 14:27
  • Tracking the usage does not quite work, because then only one code per interval can be used. However, there can be several consecutive OTPs in the same interval. This information is missing in my question, thanks for your question. – earthling Nov 12 '19 at 15:07
  • 1
    Most Time Based tokens I've seen in the wild, is valid for 30 seconds. Force the user to wait if more are needed, or rescind the need for tokens for thirty seconds if vital parameters are unchanged, e.g. IP, session, user client etc. are identical from previous authentication with topic? – vidarlo Nov 12 '19 at 16:54
  • 30 seconds for me is too little. I need a time window, e.g. tomorrow from 2-3pm. In this window, the OTP can only be used once for any action. More actions require more OTPs. With TOTP I can create a future OTP for a time window for (in this example) one hour. However, without a counter, only one code per time window is possible. I am looking for an established way of doing this, otherwise I would have to brew something on my own, that combines the two. – earthling Nov 13 '19 at 06:45
  • Does it make sense to concatenate the TOTP time step with a counter before feeding it to the HMAC algorithm? Or might this result in a unsecure solution? – earthling Nov 15 '19 at 07:04

0 Answers0