基于时间的一次性密码算法：修订间差异

'''基于时间的一次性密码算法（TOTP）'''是一种根据预共享的密钥与当前时间计算[[一次性密码]]的[[算法]]。它已被[[互联网工程任务组]]接纳为RFC 6238标准<ref name="RFC6238">{{cite web|url=http://tools.ietf.org/html/rfc6238|title=RFC 6238 - TOTP: Time-Based One-Time Password Algorithm|accessdate=2011-07-13|archive-date=2021-01-05|archive-url=https://web.archive.org/web/20210105223343/https://tools.ietf.org/html/rfc6238|dead-url=no}}</ref>，成为{{le|主动开放认证|Initiative For Open Authentication}}（OATH）的基石，并被用于众多[[多重要素验证]]系统当中。

尽管RFC 6238标准允许使用不同的参数，Google开发的验证应用不允许不同于默认的T0、TI值、哈希方法和密码长度。RFC 3548也同时鼓励K密钥以base-32编码输入（或以[[QR碼|QR码]]的形式提供）。<ref>{{Cite web|url=https://code.google.com/p/google-authenticator/wiki/KeyUriFormat|title=KeyUriFormat|accessdate=2014-08-05|archive-date=2014-12-30|archive-url=https://web.archive.org/web/20141230004255/https://code.google.com/p/google-authenticator/wiki/KeyUriFormat|dead-url=no}}</ref>

窃取到预共享密钥的攻击者可以随意生成新的非法的TOTP代号。如果攻击者攻破大型的认证数据库，这就会是个问题。<ref>{{Cite news|url=https://www.wired.com/2011/06/rsa-replaces-securid-tokens/|title=RSA Agrees to Replace Security Tokens After Admitting Compromise|last=Zetter|first=Kim|newspaper=WIRED|accessdate=2017-02-17|language=en-US|archive-date=2020-11-12|archive-url=https://web.archive.org/web/20201112032021/https://www.wired.com/2011/06/rsa-replaces-securid-tokens/|dead-url=no}}</ref>

TOTP草案由数位OATH成员合作开发，目的是创建一个行业通用标准。它完善了基于事件的一次性标准HOTP，并为终端用户组织和企业在选择最适合的应用要求与安全规范技术提供了更多选择。2008年，OATH向IETF提交了一份草案规范。这一版本的草案以之前提交的版本为基础，包含作者从技术社区收到的全部反馈与评论。<ref>{{Cite web|url=http://www.openauthentication.org/news/20080408|title=OATH Submits TOTP: Time-Based One Time Password Specification to IETF|accessdate=2010-02-22|last=Alexander|first=Madison|work=Open Authentication|archive-date=2013-01-23|archive-url=https://www.webcitation.org/6DtdCt3JN?url=http://www.openauthentication.org/news/20080408|dead-url=yes}}</ref>2011年5月，TOTP正式成为[[RFC]] 6238标准的一部分。

|[https://web.archive.org/web/20190328081042/https://www.onelogin.com/ OneLogin]|[https://www.onelogin.com/product/one-time-password OneLogin 保护]

|多重因素验证<ref>{{Cite web|url=http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx|title=Microsoft Account Gets More Secure|accessdate=2013-04-17|publisher=The Official Microsoft Blog|archive-date=2013-04-18|archive-url=https://web.archive.org/web/20130418060413/http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx|dead-url=no}}</ref>

|账号访问、加强认证<ref>{{Cite web|url=https://authy.com/blog/enable-two-factor-auth-on-your-vpn/|title=Spend 1 Day To 2FA Your VPN – Authy|accessdate=2017-04-26|archive-date=2020-10-25|archive-url=https://web.archive.org/web/20201025014934/https://authy.com/blog/enable-two-factor-auth-on-your-vpn/|dead-url=no}}</ref>

|<ref>{{Cite web|url=https://docs.servicenow.com/integrate/authentication/concept/c_MultifactorAuthentication.html|title=Multifactor authentication|access-date=2017-11-24|archive-url=https://web.archive.org/web/20181001031354/https://docs.servicenow.com/integrate/authentication/concept/c_MultifactorAuthentication.html|archive-date=2018-10-01|dead-url=yes}}</ref>

|[[Google身份验证器]]<ref>{{Cite web|url=http://code.google.com/p/google-authenticator|title=google-authenticator – Project Hosting on Google Code|accessdate=2010-02-22|archive-date=2010-09-23|archive-url=https://web.archive.org/web/20100923180537/http://code.google.com/p/google-authenticator/|dead-url=no}}</ref>

|登录许可、代号生成器<ref>{{Cite web|url=https://www.facebook.com/help/413023562082171/|title=Extra security feature|accessdate=2014-01-30|archive-date=2019-10-31|archive-url=https://web.archive.org/web/20191031204242/https://www.facebook.com/help/413023562082171|dead-url=no}}</ref>

|Firefox 浏览器同步账号访问<ref>{{Cite web|url=https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/|title=Two-step authentication in Firefox Accounts|accessdate=2018-08-01|work=Mozilla Services|language=en-US|archive-date=2020-11-09|archive-url=https://web.archive.org/web/20201109012518/https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/|dead-url=no}}</ref>

|Amazon Web Services<ref>{{Cite web|url=https://aws.amazon.com/mfa/|title=AWS Multi-Factor Authentication|accessdate=2012-03-06|archive-date=2013-12-13|archive-url=https://web.archive.org/web/20131213162544/http://aws.amazon.com/mfa/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=http://blog.bitbucket.org/2015/09/10/two-step-verification-is-here/|title=Two-step verification is here|accessdate=2015-09-11|archive-date=2015-10-22|archive-url=https://web.archive.org/web/20151022015910/https://blog.bitbucket.org/2015/09/10/two-step-verification-is-here/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=https://blog.dropbox.com/2012/08/another-layer-of-security-for-your-dropbox-account/|title=Another layer of security for your Dropbox account|accessdate=2013-05-04|archive-url=https://web.archive.org/web/20130511231048/https://blog.dropbox.com/2012/08/another-layer-of-security-for-your-dropbox-account/|archive-date=2013-05-11|dead-url=yes}}</ref>

|账号访问<ref>{{Cite web|url=https://blog.evernote.com/blog/2013/10/04/two-step-verification-available-to-all-users/|title=Two-Step Verification Available to All Users|accessdate=2015-01-05|archive-date=2018-07-01|archive-url=https://web.archive.org/web/20180701070719/https://blog.evernote.com/blog/2013/10/04/two-step-verification-available-to-all-users/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=http://www.gandibar.net/post/2013/10/10/Gandi-rolls-out-2-factor-authentication|title=Gandi rolls out two-factor authentication|accessdate=2013-11-21|archive-date=2017-10-27|archive-url=https://web.archive.org/web/20171027001000/http://www.gandibar.net/post/2013/10/10/Gandi-rolls-out-2-factor-authentication|dead-url=yes}}</ref>

|账号访问<ref>{{Cite web|url=https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html|title=Two Factor Authentication|accessdate=2017-07-26|archive-date=2018-08-16|archive-url=https://web.archive.org/web/20180816201854/https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=https://help.github.com/articles/about-two-factor-authentication|title=About Two-Factor Authentication|accessdate=2013-09-04|archive-date=2019-02-13|archive-url=https://web.archive.org/web/20190213064006/https://help.github.com/articles/about-two-factor-authentication/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=https://www.hiveage.com/blog/introducing-two-step-verification/|title=Introducing Two-Step Verification|accessdate=2017-02-07|archive-date=2020-08-21|archive-url=https://web.archive.org/web/20200821005957/https://www.hiveage.com/blog/introducing-two-step-verification/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=http://blog.lastpass.com/2011/11/introducing-support-for-google.html|title=Introducing Support for Google Authenticator|accessdate=2011-11-04|archive-date=2011-11-06|archive-url=https://web.archive.org/web/20111106213422/http://blog.lastpass.com/2011/11/introducing-support-for-google.html|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=https://blog.linode.com/2013/05/02/linode-manager-two-step-auth/|title=Linode Manager Two-Step Authentication|accessdate=2013-05-02|archive-date=2019-05-14|archive-url=https://web.archive.org/web/20190514103013/https://blog.linode.com/2013/05/02/linode-manager-two-step-auth/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=http://en.support.wordpress.com/security/two-step-authentication|title=Two Step Authentication|accessdate=2014-01-29|publisher=WordPress|archive-date=2020-11-18|archive-url=https://web.archive.org/web/20201118045114/http://en.support.wordpress.com/security/two-step-authentication|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=http://www.hover.com/blog/two-step-signin-is-here/|title=Two-step Signin is Here|accessdate=2014-02-25|archive-date=2018-10-01|archive-url=https://web.archive.org/web/20181001070534/https://www.hover.com/blog/two-step-signin-is-here/|dead-url=no}}</ref>

|账号访问<ref>{{Cite web|url=https://marketplace.owncloud.com/apps/twofactor_totp|title=A Two-Factor-Auth Provider for TOTP (e.g. Google Authenticator)|accessdate=2017-04-30|archive-date=2020-08-21|archive-url=https://web.archive.org/web/20200821003911/https://marketplace.owncloud.com/apps/twofactor_totp|dead-url=no}}</ref>

|TOTP多重因素认证<ref>{{Cite web|url=https://nextcloud.com/blog/nextcloud-11-sets-new-standard-for-security-and-scalability|title=Nextcloud 11 sets new standard for security and scalability|accessdate=2016-12-23|publisher=Nextcloud|archive-date=2019-05-21|archive-url=https://web.archive.org/web/20190521045935/https://nextcloud.com/blog/nextcloud-11-sets-new-standard-for-security-and-scalability/|dead-url=no}}</ref>

|Token2 TOTPRadius - 针对多重因素验证设计的RADIUS服务器<ref>{{Cite web|url=https://token2.com/?content=totpradius|title=Token2 TOTPRadius - a RADIUS server designed for two-factor authentication|accessdate=2017-05-13|publisher=Token2|archive-date=2020-09-30|archive-url=https://web.archive.org/web/20200930072407/https://www.token2.com/?content=totpradius|dead-url=no}}</ref>

|<ref>{{Cite web|url=http://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/|title=[FreddysHouse] Two-factor Authentication|accessdate=2014-02-10|publisher=FreddysHouse|archive-date=2020-09-19|archive-url=https://web.archive.org/web/20200919063212/https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/|dead-url=no}}</ref>

|VIP访问 <ref>{{Cite web|url=https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol/|title=Reversing the Symantec VIP Access Provisioning Protocol|date=2014-09-29|accessdate=2017-11-24|archive-date=2020-11-12|archive-url=https://web.archive.org/web/20201112022418/https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol/|dead-url=no}}</ref>

|密码库<ref>{{Cite web|url=https://www.hashicorp.com/blog/vault-0-7-1/|title=Vault 0.7.1|date=2017-05-05|accessdate=2017-11-24|archive-date=2020-08-21|archive-url=https://web.archive.org/web/20200821013352/https://www.hashicorp.com/blog/vault-0-7-1/|dead-url=no}}</ref><ref>{{Cite web|url=https://www.vaultproject.io/docs/secrets/totp/index.html|title=Vault TOTP Secret Backend|accessdate=2017-07-07|archive-date=2018-11-16|archive-url=https://web.archive.org/web/20181116200256/https://www.vaultproject.io/docs/secrets/totp/index.html|dead-url=no}}</ref><ref>{{Cite web|url=https://www.vaultproject.io/api/secret/totp/index.html|title=Vault TOTP Secret Backend HTTP API|accessdate=2017-07-07|archive-date=2018-11-16|archive-url=https://web.archive.org/web/20181116203836/https://www.vaultproject.io/api/secret/totp/index.html|dead-url=no}}</ref>

|网易将军令<ref>{{Cite web|url=http://ekey.163.com/|title=网易将军令:动态密码账号保护器|accessdate=2020-02-29|archive-date=2020-06-29|archive-url=https://web.archive.org/web/20200629043115/http://ekey.163.com/|dead-url=no}}</ref>

|账号访问 <ref>{{Cite web|url=https://yandex.com/support/passport/authorization/twofa.html|title=Yandex.Passport|date=2015-01-01|accessdate=2017-11-24|archive-date=2020-11-27|archive-url=https://web.archive.org/web/20201127093400/https://yandex.com/support/passport/authorization/twofa.html|dead-url=no}}</ref><ref>{{Cite web|url=https://meduza.io/en/news/2015/02/03/yandex-now-lets-you-log-in-without-a-login-or-a-password|title=Yandex now lets you log in without a login (or a password)|date=2015-02-03|accessdate=2017-11-24|archive-date=2020-08-21|archive-url=https://web.archive.org/web/20200821000938/https://meduza.io/en/news/2015/02/03/yandex-now-lets-you-log-in-without-a-login-or-a-password|dead-url=no}}</ref>

| [[FreeOTP]]<ref>{{Cite web |url=https://freeotp.github.io/ |title=FreeOTP |accessdate=2021-01-20 |archive-date=2021-01-10 |archive-url=https://web.archive.org/web/20210110095801/https://freeotp.github.io/ |dead-url=no }}</ref>

{{reflist|30em}}