Understanding RFC 6238 (TOTP Standard)
Deep dive into RFC 6238, the official TOTP specification. Understand the standard's requirements, test vectors, algorithm parameters, and how to build a compliant implementation.
Detailed Explanation
RFC 6238: The TOTP Specification
RFC 6238 ("TOTP: Time-Based One-Time Password Algorithm"), published in May 2011, is the Internet standard that defines how time-based one-time passwords work. Understanding this specification is essential for building interoperable TOTP implementations.
Relationship to RFC 4226
RFC 6238 is an extension of RFC 4226 (HOTP). It replaces HOTP's incrementing counter with a time-derived counter:
HOTP(K, C) → TOTP(K, T)
where T = floor((Current_Unix_Time - T0) / X)
- K: shared secret key
- T0: Unix time to start counting from (default: 0, i.e., epoch)
- X: time step in seconds (default: 30)
Algorithm Specification
The RFC defines three mandatory-to-implement hash algorithms:
| Mode | Key Length | Notes |
|---|---|---|
| HMAC-SHA-1 | 20 bytes | Required, default |
| HMAC-SHA-256 | 32 bytes | Recommended |
| HMAC-SHA-512 | 64 bytes | Optional |
Test Vectors
RFC 6238 provides test vectors for validation. Using the ASCII secret "12345678901234567890" (SHA-1) with known timestamps:
| Time (Unix) | Time Step | TOTP |
|---|---|---|
| 59 | 0x0000000000000001 | 94287082 |
| 1111111109 | 0x00000000023523EC | 07081804 |
| 1111111111 | 0x00000000023523ED | 14050471 |
| 1234567890 | 0x000000000273EF07 | 89005924 |
| 2000000000 | 0x0000000003F940AA | 69279037 |
These vectors use 8-digit codes. Test your implementation against these values to confirm correctness.
Key Security Recommendations
The RFC makes several important recommendations:
- Key length: "keys SHOULD be of the length of the HMAC output" (20 bytes for SHA-1)
- Time step: "a default time-step size of 30 seconds is RECOMMENDED"
- Validation window: implementations "MAY use a larger acceptable OTP validation window" to handle transmission delays
- Resynchronization: "the validator can store the drift... and use it in subsequent verifications"
Implementation Notes
The RFC clarifies several points that are often misunderstood:
- The time counter is an 8-byte big-endian unsigned integer (even though current values fit in 4 bytes)
- The secret key is the raw bytes, not the Base32 encoding
- T0 (the start time) is almost always 0 (Unix epoch) in practice
- The time step X can be any positive integer, but 30 is the universal default
Compliance Checklist
To claim RFC 6238 compliance:
- Support HMAC-SHA-1 at minimum
- Default time step of 30 seconds
- 8-byte big-endian time counter encoding
- Dynamic truncation per RFC 4226 Section 5.4
- Pass all test vectors from Section 5 of RFC 6238
- Support configurable digit count (6 or 8)
Use Case
Developers building a TOTP library or auditing an existing implementation need to understand the RFC to ensure interoperability with all authenticator apps. This reference is essential when your TOTP codes do not match the RFC test vectors, when a security auditor asks for RFC compliance documentation, or when debugging subtle implementation bugs by comparing your algorithm step-by-step against the specification. The test vectors alone can save hours of debugging.