Time based OTP (TOTP)
🧭 What is TOTP
TOTP (Time-Based One-Time Password) in the REL-ID SDK is a secure mechanism for generating short-lived numeric codes that are valid only for a limited period (typically 30 seconds). These codes serve as a second factor of authentication and are generated locally on the user’s device.
🧩 Key Features in REL-ID
| Feature | Description |
|---|---|
| 🔄 Time-based OTP | Code validity is tied to system time (e.g., changes every 30 seconds) |
| 📱 Generated Locally | TOTP is created using device-stored secrets, works without network |
| 🔐 Protected by Auth | Can require password or LDA (e.g., biometrics or PIN) before generating |
| 📴 Works Offline | No server call is needed to generate the code once registered |
| 👤 User-Specific | Each REL-ID user has a uniquely registered TOTP secret |
| 📆 Short Expiry | TOTP codes expire quickly for enhanced security |
🛠 How TOTP is Used
🔐 As a Second Factor
Used during step-up authentication (e.g., before approving a sensitive transaction).
📴 For Offline Authentication
User can generate a TOTP even without internet access and provide it to a backend system (e.g., via QR code, verbal, or manual entry).
🧱 How It Works in REL-ID
-
Registration
- After login, SDK automatically registers the user for TOTP if not already registered.
- This uses secure key provisioning to store a TOTP secret locally.
-
Generation
- User (or app) calls
generateTOTP(userID). - If needed, SDK prompts for password or LDA.
- SDK generates a time-based code using the locally stored secret.
- User (or app) calls
-
Event
- SDK triggers
onTOTPGeneratedwith the TOTP and its expiry time.
- SDK triggers
🔁 Example Use Case
A banking app using REL-ID may require users to enter a TOTP code to approve high-value transfers, even while offline. The REL-ID SDK ensures this code is locally generated, secure, and validated by the backend server.
Updated 2 months ago