TOTP stands for time-based one-time password and is a technique used by CCI to provide two-factor authentication to users.
TOTP works by generating a shared secret that is stored at CCI and on a device owned by the user. This secret and the current time are used together to generate a one-time password which is displayed on the user's device. The password is one-time because it is unique to that point in time and is only valid for 30 seconds. The one-time password and the user's static password are used together when logging in providing two authentication factors.
Why use TOTP or two-factor authentication?¶
Typically, users are familiar with simple authentication that involves providing a username and password. In this arrangement the only piece of information used to authenticate a user is something that is known to him/her - the password. Once this password becomes known to another individual it is impossible to authenticate a user as the person they are claiming to be and the account is considered compromised.
Two-factor authentication utilizes a second factor to validate a user. In this case something that the user has (the device) provides the second factor. For an account to be compromised, both factors must be known or available to another individual. This greatly increases the difficulty of compromising an account.
The TOTP standard and the ubiquity of smart phones make it an inexpensive, easy, and secure technique for providing two-factor authentication to users.
TOTP and two-factor authentication at CCI¶
At CCI, TOTP/two-factor authentication is implemented such that users with Apple or Android devices can use Google Authenticator to display a TOTP on their mobile device. (Note: Although this app is provided by Google and used in their own two-factor system, it has no reliance on Google systems or a CCI user having a Google account. It also does not rely on a network connection; the code is generated locally on the device.)
In addition to the TOTP and static password, CCI's two-factor authentication system utilizes a PIC (personal identification code, similar to a PIN) which increases the storage security of the shared secret used to generate and validate the TOTP.
Setting up TOTP/two-factor authentication¶
Users wishing to use TOTP/two-factor authentication at CCI must have a challenge word setup prior to configuring TOTP.
- Download and install the appropriate Google Authenticator app for your mobile device.
- Go to the TOTP setup web form and fill-out the form selecting a PIC in the process. The PIC should not be the same as the challenge word.
- From within the Google Authenticator app add a new account, either using the QR code displayed or by manually enter the secret key displayed below the QR code (BlackBerry only).
When this process is complete, your mobile device should display a 6-digit code that changes every 30 seconds.
Using TOTP/two-factor authentication¶
Currently, a second set of landing pads (
blp01 - blp04) must be used
with two-factor authentication. These landing pads do not require
firewall exceptions and may be accessed from anywhere.
After connecting, the user will be presented with the prompt
where the user will enter their PIC followed by the current 6-digit TOTP
displayed on their mobile device. (Note: There is no space/+/enter
between the PIC and the TOTP.) After pressing enter, the user will then
be prompted for their static password.