How to test the OTP codes generated by programmable tokens

After you have burnt a seed onto the programmable tokens, you can test the token by comparing the OTP codes with those produced by an online TOTP generator.

Using an Online TOTP Token Generator to test TOTP tokens

There are several online token generator pages that may be used to check the codes generated by a programmed OATH TOTP token, and can be used to confirm that the codes that the token burning process worked without issue.

After programming the token you can test if the OTP codes generated by the token are as expected by comparing the codes with those produced by the following online generator;

• Click here for instructions on using the Deepnet Security online TOTP generator

  The Deepnet Security online TOTP code generator can be accessed at the URL below.

  https://www.deepnetsecurity.com/tools/totp-generator/

  

  • At "Secret Key", fill in the secret key (seed) data that matches the serial number of the token you are testing
  • At "Secret Encoding Format", select the format that matches the format in your CSV file (for azure this will be Base32) 
  • At "OTP Length", select "6 digits"
  • At "Hash Algorithm", select "SHA-1"
  • At "Time Interval", select either "30 seconds" or "60 seconds" (This depends upon use. Commonly, it is 30 seconds).

  When you have supplied all the details above, click , and OTP codes will now start to be generated using the supplied seed data;

  

The online page should now generate matching OTP codes to the token. 

If at this point the codes generated online do not appear to match the codes generated by the token (the one with the matching serial number), then you should first check that the parameters supplied on this page match those in your seed data file.

If after double checking the parameters the generated OTP code still does not match then you may want to check the physical token for time drift using our CHECK CLOCK DRIFT tool.

Using our "Check Clock Drift" tool

Whilst online TOTP generators can be used to confirm if time drift exists on the token, if drift is indicated, then we still need to identify how much the clock on the token has drifted.

Fortunately, we do have a tool that can be used for this task - the CHECK CLOCK DRIFT tool;

The following procedure provides instruction on how to check the extent of time drift on a token;

• Click here for instructions on using the tool to detect time drift

  To use the tool navigate to https://support.deepnetsecurity.com/tools/otp/check-clock-drift.asp then supply the token details for the token to be tested then click 

  If there is no drift for the tested token you will see confirmation as per the following example;

  

  
  

  If drift is detected you will be notified of the number of time windows of drift that were detected for the tested token;

  

  
  

Using the Google Authenticator app

You can of course use the Google Authenticator app and either scan in the QR code that was used by the programming tool, or manually add the token details using the "Enter a setup key" option (just copy the seed details to the box marked "Your key".

Once added the authenticator app will generate 6 digit codes, and as per the Online TOTP generator method you can verify that the token is creating valid OTP codes.

Related Articles

• Deepnet Security online TOTP Generator