MTOTP: Wouldn't it be nice if you were the 2FA device?
Recorded: Jan. 19, 2026, 10:03 a.m.
| Original | Summarized |
GitHub - VBranimir/mTOTP at develop Skip to content Navigation Menu Toggle navigation
Sign in
Appearance settings PlatformAI CODE CREATIONGitHub CopilotWrite better code with AIGitHub SparkBuild and deploy intelligent appsGitHub ModelsManage and compare promptsMCP RegistryNewIntegrate external toolsDEVELOPER WORKFLOWSActionsAutomate any workflowCodespacesInstant dev environmentsIssuesPlan and track workCode ReviewManage code changesAPPLICATION SECURITYGitHub Advanced SecurityFind and fix vulnerabilitiesCode securitySecure your code as you buildSecret protectionStop leaks before they startEXPLOREWhy GitHubDocumentationBlogChangelogMarketplaceView all featuresSolutionsBY COMPANY SIZEEnterprisesSmall and medium teamsStartupsNonprofitsBY USE CASEApp ModernizationDevSecOpsDevOpsCI/CDView all use casesBY INDUSTRYHealthcareFinancial servicesManufacturingGovernmentView all industriesView all solutionsResourcesEXPLORE BY TOPICAISoftware DevelopmentDevOpsSecurityView all topicsEXPLORE BY TYPECustomer storiesEvents & webinarsEbooks & reportsBusiness insightsGitHub SkillsSUPPORT & SERVICESDocumentationCustomer supportCommunity forumTrust centerPartnersOpen SourceCOMMUNITYGitHub SponsorsFund open source developersPROGRAMSSecurity LabMaintainer CommunityAcceleratorArchive ProgramREPOSITORIESTopicsTrendingCollectionsEnterpriseENTERPRISE SOLUTIONSEnterprise platformAI-powered developer platformAVAILABLE ADD-ONSGitHub Advanced SecurityEnterprise-grade security featuresCopilot for BusinessEnterprise-grade AI featuresPremium SupportEnterprise-grade 24/7 supportPricing Search or jump to... Search code, repositories, users, issues, pull requests...
Search Clear
Search syntax tips Provide feedback Include my email address so I can be contacted Cancel Submit feedback Saved searches
Name Query To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up
Appearance settings Resetting focus You signed in with another tab or window. Reload to refresh your session. Dismiss alert VBranimir mTOTP Public
Notifications
Fork
Star mTOTP is an experimental, manual variant of TOTP designed to be computed by a human without electronic devices. It explores the limits of time-based authentication under strict human constraints and makes no claims of cryptographic equivalence to standard TOTP. MIT license 23 1 Branches Tags Activity
Star
Notifications Code Issues Pull requests Actions Projects Security Uh oh! There was an error while loading. Please reload this page. Insights
Additional navigation options
Code Issues Pull requests Actions Projects Security Insights
VBranimir/mTOTP
developBranchesTagsGo to fileCodeOpen more actions menu Folders and filesNameNameLast commit messageLast commit dateLatest commit History7 Commitsdocsdocs pluginsplugins toolstools .gitignore.gitignore LICENSELICENSE README.mdREADME.md View all filesRepository files navigationREADMELicensemTOTP Table of Contents Introduction PAM demo Overview Introduction deterministic This protocol intentionally allows OTPs to be calculated for future times. Overview a secret numeric key The algorithm uses: a key‑derived digit S‑box No randomness is involved during generation. Example Inputs Secret key (10 digits): 1234598760 Planned login time: Step 1 - Build Time Vector Example: Result: Step 2 - Build Sbox from the Secret Key Read the key left to right Example Unique digits in order: Final S‑box list: S‑box table: Step 3 - Combine Time and Key (mod 10) Call this: Step 4 - Apply Sbox Substitution Apply to: Result: Step 5 - Diffusion (Digit Mixing) Set: a = last digit For each digit from left to right: new_digit = (current_digit + a) mod 10 Example Diffused result: (Length is always preserved.) Step 6 - Fold to 5 Digits or: From our last step result: Calculation: Result: Step 7 - Calculate Final Digit (o6) Final mTOTP Invariants & Sanity Checks S‑box is derived only from the key Testing tool usage About mTOTP is an experimental, manual variant of TOTP designed to be computed by a human without electronic devices. It explores the limits of time-based authentication under strict human constraints and makes no claims of cryptographic equivalence to standard TOTP. Readme MIT license Uh oh! There was an error while loading. Please reload this page. Activity 23 0 1 Report repository Releases Packages No packages published Footer © 2026 GitHub, Inc. Footer navigation Terms Privacy Security Status Community Docs Contact Manage cookies Do not share my personal information You can’t perform that action at this time. |
mTOTP is an experimental framework for manually generating time-based one-time passwords (TOTP) without reliance on electronic devices, designed to explore the feasibility of human-executable authentication under strict cognitive and physical constraints. Unlike conventional TOTP, which leverages cryptographic algorithms and hardware tokens, mTOTP prioritizes deterministic, mental computability by encoding authentication logic into a structured algorithm that can be performed with pen and paper. The protocol’s design emphasizes transparency, reproducibility, and auditability, ensuring that each step can be verified and explained. While it does not claim cryptographic equivalence to standard TOTP, it introduces a novel approach where authentication time becomes an explicit parameter rather than an implicit approximation. This shifts the paradigm from reactive time synchronization to intentional planning, requiring users to predefine the exact moment of authentication and verifiers to validate against that agreed timestamp. The algorithm is explicitly tailored for human execution, with software serving as a secondary tool for verification and assistance. Key design principles include clarity, determinism, and mental tractability, ensuring that each stage of the process remains comprehensible and repeatable without computational aid. The mTOTP algorithm operates through a sequence of seven discrete steps, each involving deterministic transformations of input data derived from a secret numeric key and a planned login time. The process begins by converting the intended authentication moment into a standardized 10-digit format, specifically `YYMMDDHHMM`, which serves as the time vector. For instance, a login planned for January 17, 2026, at 5:00 PM would be encoded as `2601171700`. This time vector is then combined with the secret key—typically a 10-digit number—through position-wise addition modulo 10. This initial combination generates an intermediate value, which is subsequently transformed using a substitution box (S-box) derived from the secret key. The S-box is constructed by enumerating unique digits of the key in their first occurrence order, followed by appending any missing digits (0–9) sequentially. For example, a key of `1234598760` yields an S-box where each input digit maps to the corresponding output digit in the sequence `1, 2, 3, 4, 5, 9, 8, 7, 6, 0`. This substitution introduces non-linearity into the algorithm, ensuring that each digit’s transformation is dependent on the key’s structure rather than arbitrary randomness. After applying the S-box to the intermediate value, the algorithm proceeds to a diffusion step. This involves iteratively modifying each digit based on the cumulative sum of itself and the previous output, modulo 10. This diffusion mechanism ensures that a single digit change propagates through the entire sequence, enhancing resilience against minor errors while remaining computationally simple enough for human execution. The diffused result is then subjected to a folding operation, where digits are paired from the front and back of the sequence and summed modulo 10. This reduces the length to five digits, forming an intermediate OTP (OTP5). A final digit is calculated by summing the five OTP5 digits modulo 10, resulting in a complete six-digit mTOTP code. For example, using the provided steps with the secret key `1234598760` and login time `2601171700`, the resulting mTOTP is `510769`. Throughout this process, several invariants are maintained: the S-box remains exclusively derived from the secret key, the intermediate values preserve length until folding, and the final OTP is consistently six digits. These constraints ensure consistency and reliability in both human and software implementations. The protocol’s documentation also outlines testing mechanisms, including a dedicated tool for algorithm validation and plugins for integration with authentication systems like PAM (Pluggable Authentication Modules) and Keycloak. The PAM plugin enables mTOTP to function as a login authentication method, while the Keycloak module remains under development. These extensions highlight mTOTP’s adaptability to existing infrastructure, though they emphasize that the core algorithm is independent of specific software implementations. The repository’s README and supplementary materials provide detailed walkthroughs of each step, accompanied by illustrative examples to facilitate understanding. For instance, the S-box construction is demonstrated using a sample key, and the diffusion step is explained through an iterative example that transforms a sequence like `4649880581` into `5154200534`. Such examples underscore the algorithm’s emphasis on simplicity and teachability, ensuring that users can internalize the process through practice. A critical aspect of mTOTP’s design is its rejection of cryptographic assumptions inherent in standard TOTP. While traditional TOTP relies on hash functions and secret keys to generate unpredictable tokens, mTOTP sacrifices entropy for human usability. This trade-off means that the generated OTPs are not cryptographically secure in the same way as their electronic counterparts, but they serve a distinct purpose: enabling authentication in scenarios where digital tools are unavailable or restricted. The protocol explicitly acknowledges this limitation, framing its value as a conceptual exploration rather than a direct replacement for established methods. By treating time as an explicit variable rather than a hidden parameter, mTOTP also introduces a unique approach to synchronization. Users must precompute the OTP for the exact moment of authentication, which requires coordination between the user and the verifier. This shifts the burden of time management from automated systems to human planning, aligning with the protocol’s broader goal of decentralizing authentication logic. The repository’s documentation further emphasizes the importance of consistent key management. Users are advised to pad or derive keys shorter than 10 digits using a deterministic method, ensuring uniformity in the S-box generation process. This requirement reflects the algorithm’s sensitivity to key input, as even minor variations in the secret key can lead to divergent S-boxes and subsequent OTPs. Additionally, the diffusion step’s reliance on sequential processing necessitates careful attention to intermediate results, as errors in any stage can propagate and invalidate the final output. These constraints highlight the need for rigorous practice and verification, particularly in high-stakes environments where mTOTP might be deployed. The protocol’s emphasis on auditability allows users to trace each transformation step, providing a transparent framework for debugging and validation. This feature is particularly valuable in educational contexts or scenarios where users must demonstrate the correctness of their computations. While mTOTP’s experimental nature is explicitly stated, its potential applications extend beyond niche use cases. The protocol could serve as a backup authentication method in environments with limited digital infrastructure or as an educational tool for teaching cryptographic principles. Its reliance on manual computation also raises intriguing questions about the intersection of human cognition and security mechanisms, challenging assumptions about the necessity of automation in authentication. However, the protocol’s lack of cryptographic robustness necessitates clear communication of its limitations to users. It is not intended for high-security applications where brute-force attacks or reverse engineering could compromise the secret key. Instead, mTOTP represents a creative exploration of authentication paradigms, prioritizing human agency and simplicity over computational complexity. The repository’s MIT license facilitates further development and adaptation, inviting contributions from the open-source community to refine or expand its capabilities. In summary, mTOTP presents a novel approach to time-based authentication by reimagining the role of humans in the process. Its algorithmic structure balances complexity and simplicity, enabling manual computation through a series of logical steps that are both mathematically sound and cognitively accessible. While it diverges significantly from traditional TOTP in terms of security guarantees, the protocol’s focus on transparency, determinism, and human-centric design offers a valuable alternative for specific use cases. The detailed documentation and example-driven explanations provided in the repository ensure that users can engage with the algorithm effectively, fostering a deeper understanding of its mechanics and limitations. As an experimental project, mTOTP invites further research into the possibilities of manual authentication, challenging the status quo of automated security systems. |