What is OATH - TOTP (Time)?
OATH is an organization that specifies two open authentication standards: TOTP and HOTP. To authenticate using TOTP (time-based one-time password) the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC (sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key.
How to use OATH with the YubiKey?
When using OATH with a YubiKey, the shared secrets are stored and processed in the YubiKey’s secure element. This has two advantages over storing secrets on a phone:
Security: The secrets always stay within the YubiKey. A phone can get stolen, sold, infected by malware, have its storage read by a connected computer, etc.
Accessibility: You can display OATH codes on more than one phone or computer. If your phone runs out of battery, you can get a code using a friend’s phone or your computer.