totp.me

webmaster@totp.me

3 minute silent screencast showing integration with a sample website.

user workflow screenshots.

Download one of the following bundles containing a client library and sample application:
The first month is free.

business

1000 users
$10/month

enterprise

10,000 users
$100/month

web-scale

1 million users
$500/month

self-hosted

enquire

Time-based OTP Authentication Service

Add a second factor of authentication to your website for those of your users who have smart phones.

Sign up

How it works

You http-redirect users to us for TOTP authentication and we redirect them back to you when done. Then you can mark their web sessions authenticated.

The client libraries we provide secure this communication.

An Example in Ruby

require "otpc"
class ExampleController < ApplicationController
def dologin
  redirect_to(
    auth(session,
         params[:login],
         lambda{|ctrl,userid,result|
           if result
             ctrl.session["authed"]=userid
           else
             ctrl.session.delete("authed")
           end
           ctrl.redirect_to({:action=>"loggedin"})}))
end
...
end

Benefits

  • We handle the master key generation and storage, QR code generation and its secure serving and deletion, helping users set up their smart phones, correct brute force rate-limiting, time-tolerances, using secure random numbers, dealing with device loss, and other issues required to do TOTP authentication right.

  • All of your users who have smart phones already have a TOTP device that can store their keys. Some of them may wish that you offered TOTP authentication so that hackers would be less likely to log in as them.

  • With TOTP, the one time password is computed independently by the user and the verifier. It doesn't travel over email or SMS.

Confidentiality

You needn't share users' actual IDs with us. Any unique handle will do, such as their database primary keys. So we can't log in as them. And in any case, we wouldn't know their passwords, the first factor of authentication.

Reliability

Our service must never go down and prevent your entire user base from logging into your site.

Authentication only requires looking up a user's master secret in a hash table. We run backup servers that support just this one operation. If the primary ever goes down, the client library tries the backup servers.

The backup servers are hosted in different continents. Their IPs are served up by two DNS servers, also on different continents.

Data at the backup servers lags the primary by only a few seconds.

Security

The http-redirect based communication between us is encrypted (AES-256 nonce-CTR) then MACed to prevent user-tampering and replay attacks.

© totp.me 2014