Talk:Time-based one-time password

Clarification
Apologies if I'm not following protocol for how/where to post this, but I believe there is a correction to be made here, or at least a clarification. (Thanks to the contributors to this page, by the way... I was able to built a compliant Java implementation of TOTP using only this page as a reference.) The correction/clarification is that, in the first section, the term "time step" and abbreviation "TS" are used, while in the second section, the term is "time interval" and abbreviation "TI". Thanks! (Christopher Schultz) — Preceding unsigned comment added by 173.66.116.184 (talk) 17:40, 2 May 2017 (UTC)

I've removed the references to RSA SecurID, which is a time-based token that does *not* use TOTP. Similarly, I've removed the claim that Security Dynamics (now RSA) "patented TOTP" in 1984 -- it was clearly taken from a Security Dynamics press release as, among other things, it reproduced a typo in the patent number (4,270,860 where the actual patent number is 4,720,860). One should note that the patent in question does not contain the words "TOTP", "SHA", or "HMAC", so whatever it covers, at the very least it's got nothing specific to do with TOTP (and couldn't, since the cryptographic primitives used by TOTP, notably HMAC, had not been invented in 1984 when that patent application was filed).

Anyone interested in how SecurID actually works should look at "stoken" on SourceForge, which is an open-source implementation of the SecurID algorithm. It's definitely not TOTP. Tls (talk) 19:23, 23 June 2015 (UTC)

You shouldn't link directly to IDs as they expire. I updated the ID link as temporary fix rather than leave a broken link. Chris97 (talk) 11:14, 2 January 2010 (UTC)

Actually, by RFC 2026, you shouldn't be referencing Internet Drafts at all. I'll leave that policy to others. http://www.ietf.org/rfc/rfc2026.txt Section 2.2, page 8.

BTW: at this writing it's up to version 7. And the text of this page says it's an RFC at first, which is currently incorrect. OATH should host a current copy at a stable link, and link that here. — Preceding unsigned comment added by Davesnotthere (talk • contribs) 19:41, 13 January 2011 (UTC)

New 'implementors' page?
The list in sections Time-based One-time Password Algorithm, Google Authenticator and OAuth has much overlap. Perhaps these lists can be merged into a new article List of OAuth providers or similar? 2pem (talk) 09:17, 12 February 2014 (UTC)

Stripped it of biase and merged it into a table to avoid bloating. (Anon) 6:47 PM, 11 September 2016 (GMT+1) — Preceding unsigned comment added by 217.208.42.210 (talk) 17:47, 9 November 2016 (UTC)

Implementation
I thought the "definition" section was hard to read and it didn't define the actual method of obtaining the token from the parameters. I wrote an "implementation" section detailing the method, which contains enough information that actual implementations can be written using it. It is based on the RFC 6238 implementation (which is painful to read through), and actually works. Thermate (talk) 17:00, 5 August 2014 (UTC)

Microsoft and TOTP (server side)
Microsoft doesn't use TOTP. They use a mobile app to verify login requests - just a tap, no code. nyuszika7h (talk) 18:59, 17 February 2015 (UTC)

Weaknesses
If there's to educate about "History", there absolutely needs to be room to help educate about the drawback of this 30-year-old tech, so we don't end up making people think they need to use this, without them having any idea what it does or doesn't protect against! — Preceding unsigned comment added by 120.151.160.158 (talk) 11:49, 30 March 2015 (UTC)


 * Regarding that, i added a note to the effect that your session can still be compromised even when using these methods to log in/authenticate over untrusted machines, such as when checking your mail on a PC at a public library. Lest anyone think that OTP + HTTPS = totally secure sessions. — Preceding unsigned comment added by 79.168.138.50 (talk) 04:56, 7 October 2016 (UTC)

In the same regard, the opening statement that the technology is obsolete (referencing an article by Bruce Schneier) is not backed up by the reference. The reference merely states that is insufficient mitigation for all attack scenarios. To draw the conclusion of obsolescence is really a stretch. Aschlosberg (talk) 06:52, 18 April 2016 (UTC)

Nested lists and grammar
Hi there,

Recently I made a fix to correct the grammar of the string "TOTP devices have batteries that go flat, clocks that can de-sync, and software versions are on phones that can be lost and/or stolen"; however it was reverted with the comment "Previous version was correct". I'd like to explain why the previous (and current) version is incorrect, and why I bothered to make the fix, in hopes that it will be reintroduced.

The form of this piece of text, as written, is "TOTP devices have A, B, and C", where:
 * A is "batteries that go flat" (a noun phrase)
 * B is "clocks that can de-sync" (also a noun phrase)
 * C is "software versions are on phones that can be lost and/or stolen" (a clause)

So it's a list that contains two noun phrases and a clause. But that's not grammatical. It doesn't mean anything to say "TOTP devices have software versions are on phones that can be lost and/or stolen".

However, what does work is if the form is changed to "TOTP devices have A and B, and software versions are D". This makes it clear that what we have here is two lists (of clauses), where the first list item is itself a list (of noun phrases). So that's the proposed change: replace the comma between A and B with the word "and".

Jkshapiro (talk) 04:00, 9 September 2018 (UTC)

Change capitalization of title to Time-based one-time password algorithm
I propose that the article's name be changed from Time-based One-time Password algorithm to Time-based one-time password algorithm. This change in capitalization would make the title more consistent with that of other related articles, such as One-time password. I think this change may require a page rename/move. Somerandomuser (talk) 18:03, 27 September 2018 (UTC)

Client capabilities
The "non-default" annotations/claims are completely unsourced, and seem to have multiple invalid assertions (rather than saying "unknown" everywhere) e.g. lastpass authenticator seems to be supporting custom value length, hash and interval at least in manual entry mode: https://i.imgur.com/6ckXd1t.png — Preceding unsigned comment added by 109.89.154.143 (talk) 16:06, 15 January 2019 (UTC)

What is the correct capitalization?
In the article, "One-time" is capitalized as "One-Time". This makes sense, because the acronym is TOTP. Should the article be renamed with this new capitalization? An alternative is to rename it to "Time-based one-time password algorithm", though I'm not sure about that idea. SebastianTalk - 23:23, 25 April 2020 (UTC)
 * Sources vary for such acronyms, even within a single article, however the original IETF standard capitalises all the words. — kashmīrī  TALK  23:44, 25 April 2020 (UTC)