TOTP authentication

TOTP (Time-Based One-Time Password) is a widely used MFA method where a temporary code is generated on your mobile device or an authenticator app. This code changes every 30-60 seconds and is required in addition to your password when you log in.

How TOTP works

TOTP is based on two main components:

  • Secret Key (Shared Secret)
    • A unique secret key is generated for each user during MFA setup.
    • This key is shared between the authentication system (Infor MFA Service) and the authenticator app.
    • The key is typically encoded in a QR code for easy setup.
  • Current Timestamp
    • TOTP uses the current Unix timestamp (number of seconds since 01-01-1970).
    • Time is divided into fixed time intervals, for example:v30 seconds.

A short-lived unique code is generated using the combination of the Current Time and the unique Secret Key for each user.

When the user opens the authenticator app, retrieves the latest code, and enters the TOTP code on MFA page, the Infor MFA service independently calculates the expected TOTP based on the same stored unique secret key of the user and the current time.

If the code matches, access is granted; otherwise, the MFA validation fails.

Benefits of using TOTP over other methods

  • Stronger security than SMS-based authentication
  • Works even without an internet connection
  • Reduces the risk of phishing and unauthorized access

Prerequisites

To use TOTP as the MFA authentication method, you must have a smartphone or a device with an authenticator app, such as:

  • Google Authenticator (iOS/Android)
  • Microsoft Authenticator (iOS/Android)
  • Authy (iOS/Android/Desktop)

There are multiple authenticator apps available for iOS/Android that support the TOTP standard. When choosing the TOTP-supported app, you must ensure that it follows the security best practices.