One (more) time passcodes

Passwords seldom stand alone in modern applications, and for good reason. Perhaps they might be guessed or leak or otherwise be broken, so it is a bad idea to make them the only line of defence. This is why multi-factor authentication (MFA) is modern best practice. MFA stipulates that users of a system must combine an account name with:

  • something they know (such as a password), and
  • something they have (such as a token, smartphone or network address assigned to them), or,
  • something they are meaning a biometric factor, such as fingerprint or facial scan.

The Longevitas applications have supported SMS passcodes and account-specific network addresses for a long time. But in our last release we updated our enhanced (or multi-factor) authentication to include TOTP passcodes - time-based one time passcodes - as an alternative to our SMS based HOTP passcodes. The TOTP algorithm defines a series of codes that can identify a user to an online application at a given point in time. The code expected by the user account will change with a predefined frequency - say every minute - so exposure of a single code doesn't pose any long-term risk. TOTP codes are generated on-demand typically by a properly configured smartphone app such as Google Authenticator or FreeOTP.

Why use TOTP passcodes over SMS passcodes? There are a few reasons. First of all, there is a potential delivery delay with SMS passcodes that can sometimes be inconvenient. Even though our main provider averages UK delivery within thirty seconds, delays can be exacerbated by network conditions. Secondly, a user's physical location might make it difficult to reach them by SMS at all, and we'd rather a desk move to the basement didn't prevent access to an important application. Finally, TOTP passcodes also have theoretical security advantages, since SMS messages may be intercepted, although such attacks are difficult to mount in practice. From our perspective, removing potential delivery delays and facilitating user login even from a mobile blackspot are strong reasons to prefer TOTP passcodes moving forward.

You should read full details in the Security FAQ in the application resources area, in Chapter 3 of the downloadable PDF User Guide or in the release notes for version 2.8 of Longevitas or the Projections Toolkit. However, transitioning an account to use TOTP passcodes is pretty straightforward and summarised below.

  • Install a suitable app from the iOS or Android app store, such as Google Authenticator or FreeOTP
  • After login change the configuration for Application ==> Extended Authentication Passcode Type to TOTP via app
  • Navigate to the Your profile page where you will see an expanding area "Enhanced Authentication". Open this to reveal a 2D barcode known as a QR (Quick Response) code.
  • Scan the QR code with your chosen app - this will create a passcode block inside the app you can use to reveal the expected passcode.

In case you've never heard the terminology before, a QR code looks something like this (I've altered this one to make it unusable):

A QR Code

And that is it... Once the app is configured you are able to access your passcode on demand, with no delays and no dependence on SMS connectivity!




Find by key-word


The importance of seasonal analysis was underscored by a recent ... Read more
In my previous blog I showed how suddenly the excess ... Read more
According to British Prime Minister Harold Wilson , " a ... Read more
Gavin Ritchie
Gavin Ritchie is the IT Director of Longevitas