Time-based One-time Password (TOTP) test page

Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time.   Wikipedia.

The basic mechanism is for the user to have a (client) device that uses the time and the shared secret key to calculate the one-time password. The user then types in this number at the login prompt as a second password in addition to their "normal" password.

The client device can either be a dedicated hardware key or a smartphone app.

Using smartphones

Free apps for the "OATH" open standard are available for both iOS and android. We suggest you install one of these two apps on your smartphone:

• Android: FreeOTP (from google play)
• iOS: HDE OTP Generator (from Apple app store)

Setting up accounts

Once you have installed the app you can set up entries for as many remote accounts as you wish, each with its own shared key. To save typing an 80-character hex key both of the above apps allow you to scan in a QR code instead.

Testing the app

When you start up the app you should see a "+" at the top of the screen. Pressing it should start the camera, point it at the following QR code:

It should install a dummy account entry called "test-account", displaying a six-digit number that changes every 30s. (To save battery it may not always show the number but pressing it should activate it.)

You can delete the test account once you have got to the stage that it is generating the six-digit TOTP.