TOTP (Time-based One-Time Password)

TOTP (Time-based One-Time Password, RFC 6238) est l'algorithme générant des codes temporaires (typically 6 chiffres) renouvelés toutes les 30 secondes, base des apps d'authenticator (Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden) pour MFA.

Fonctionnement :
(1) **Setup** : server génère secret aléatoire (256-bit typical), encode en base32, présente QR code à user (`otpauth://totp/AppName:[email protected]?secret=...&issuer=AppName`).
(2) User scan QR avec authenticator app → secret stored in app.
(3) **Authentication** : app calcule HMAC-SHA1(secret, floor(unix_time / 30)) → truncate à 6 chiffres → display code.
(4) Server fait même calcul → compare → si match, valide.

Paramètres standards : T0=0 (Unix epoch), X=30s (time step), 6 digits, HMAC-SHA1 (some apps support SHA256/SHA512 mais less compatible).

Forces : (1) **No network required** — offline once setup ; (2) **Standard ouvert** — interopérable apps ; (3) **Better than SMS** — no SIM swap, no SMS interception ; (4) **Free** — no SMS costs ; (5) **Wide support** — virtually every authenticator app.

Faiblesses :
(1) **Phishable** — AiTM proxies (Evilginx) capture TOTP code en temps réel et relay au real server.
(2) **Backup challenges** — lose phone = lose access if no backup setup. Modern apps (Authy, 1Password) sync backups cloud, less risk.
(3) **Secret leak** — if attacker steals secret (compromised database), can generate codes indefinitely.
(4) **Time sync** required — clock drift breaks codes (window ±1 step typical for tolerance).

Vs alternatives :
- **vs HOTP** (counter-based, RFC 4226) — TOTP simpler UX (no resync issues).
- **vs Push notifications** (Duo, Authy push) — TOTP doesn't require connectivity, but push more user-friendly (less code typing).
- **vs FIDO2/Passkeys** — TOTP much weaker (phishable). NIST recommends FIDO2 over TOTP for high-value accounts.
- **vs SMS** — TOTP stronger (no telecom dependency).

Use cases idéaux : (1) Standard 2FA for most consumer/enterprise apps ; (2) Backup factor for FIDO2 (if device unavailable) ; (3) Self-hosted services. Pour security max → FIDO2/Passkeys préférables. Compétences SC-300, Security+, CISSP.