What is TOTP? (What Businesses Need to Know)
Do you want to secure your business’s data but are having difficulty having a complete understanding of the multiple layers of 2-Factor authentication?
At Intelligent Technical Solutions, we’ve helped guide our clients through the confusing (and expensive!) web of data protection.
So in this article, we’ll be looking at one of the terms connected to 2FA: the TOTP code. We’ll go through the following questions:
- What are TOTP codes?
- How to Manage TOTP Codes
- Extra Tools to Manage TOTP Codes
- Recommended TOTP Manager
- Who needs TOTP Codes?
And by the end, you’ll know the barebones of what TOTP can do to protect your company employees and data.
What are TOTP codes?
The meaning of TOTP is a Time-based One-time Password. Usually, it’s interchanged with OTP (One-time Password), but an OTP is a slightly different code.
TOTP is a time-based code generated via authenticator apps like Google Authenticator and Microsoft Authenticator. The code shifts every 30 or 60 seconds -- you need to input the code between that time.
An OTP is generated every time you log in and is received via text message. Companies are slowly moving away from OTP as more cyber criminals seek ways to intercept SMS messages.
TOTP codes fall under the umbrella of 2FA or 2-Factor Authentication (the process of having an extra device to verify your identity).
How to Manage TOTP Codes
According to Kyle Ramirez, Technical Sales Engineer ITS San Francisco, TOTP codes are something that clients need to self-manage.
“It’s like the skill of having to type in the username and password,” he said. “This is a skill that everybody is going to need to kind of operate in the digital world; being able to self-manage your own codes should be a skill that everyone should practice.”
Managed IT Service Providers (MSPs) do not manage TOTP codes for clients. At most, MSPs guide you while you set up your TOTP authentication. You’ll need a smartphone and an internet connection.
Ramirez clarified the process. “When you go to enable Multi-factor Authentication (MFA), it’s either enforced by the platform, or you’ve requested some additional security on your account.
“There are all sorts of different authenticator apps, and that’s kind of where the confusion comes from. There’s so many to choose from, and sometimes you think, oh, I have to use the one coming from that service.
So if I have a Google account and want to set up MFA, do I have to use Google Authenticator?
The answer is that you don’t actually have to split your usage. You can pick one [app] you’re already using.
So maybe I’m setting up a Google account or Microsoft account and then just scanning some code I don’t have to use their app; I can use the one that I’ve standardized on for all of my stuff.”
Extra Tools to Manage TOTP Codes
TOTP and OTP codes can be a hassle to manage. Aside from centralizing all your TOTPs into one app, you can also integrate your TOTP codes with a password manager.
Ramirez said, “Password managers are now supporting TOTP codes. If your company has an offering for a password manager, [your MSP] may also be able to help you with your strategy to manage the codes.”
“But I do strongly believe TOTP management should be an individual skill people practice more,” he continued, “because these MFA codes are appearing everywhere on all sorts of different sites.”
Recommended TOTP Manager
Unless you’re looking for specific features, the authenticators from large companies are the best way to go. For most users, you’ll be fine using Google Authenticator or Microsoft Authenticator.
But Ramirez pointed out that he has a different personal app.
“The Authy app is the one I use personally,” he said. “Authy has some benefits that I haven’t seen from other authenticator apps.”
He claimed it was one of the only authenticator apps you could install on multiple devices. “So I have the Authy desktop app,” Ramirez said, “and I have the Authy mobile app, and they share my codes because the codes are also backed up to their cloud.”
This will be especially beneficial when he gets a new device. “If I get a new device and I need to redownload the app,” Ramirez explained, “sometimes I need to regenerate all of these codes all over again.”
“But because these codes are saved in the Authy cloud, I can log into your Authy account and automatically retrieve those codes because they’re backed up. So the backup is another benefit.”
Who needs TOTP Codes?
If the service has 2FA then you should use it. It’s now a standard part of securing your network. All of your employees should have TOTP or 2FA set up.
Ramirez goes as far as to say, “It [TOTP] is for everybody; it’s not only clients, it’s also people in your personal life. TOTP codes are used everywhere now. Banks, Amazon, online shopping, all sorts of places are using these kinds of codes, and it’s kind of difficult to manage them.”
“So I would definitely say all clients should use it.”
Ready to implement TOTP codes for your business?
Overall, TOTP or Time-based One-time Passwords are a good way of adding another wall of security between you and hackers. Everyone should set up a TOTP.
All you need is an account that supports 2FA, an Authentication app, and a stable internet connection. The authenticator app lists the acceptable code per website for a set amount of time.
It’s easy to manage TOTPs by putting all accounts in one authentication app. You can also integrate your authentication app with certain password managers.
At ITS, we’ve made it a standard to have 2FA and TOTPs in our clients’ accounts. This is essential in protecting the company’s network.
However, it’s not enough to have 2-Factor authentication, and TOTPs then call it a day. There are more layers to cyber security than this.