Can time-travellers use TOTP codes?


Imagine, just for a moment, you and your friends decide to travel in time. In order to make sure you can authenticate your communications with each other, you set up a shared Time-based One Time Password (TOTP).

The TOTP algorithm uses a Hash-based Message Authentication Code (HMAC). The hash is calculated from a shared key and a time-based component.

The key is a short string of characters. The time-based component is calculated as the number of seconds between now and the Unix Epoch. When is the Unix Epoch? 00:00:00 UTC on Thursday, 1 January 19700. It has been roughly 1.7 billion seconds since then. 64 bit computer systems can count up for another 290 billion years1. So chrononauts journeying to the future should be fine.

But what about people travelling backwards? You and your friends want to go and see The Beatles perform in 1966. That's before 1970. So the time-based component will be a negative number.

I've tried a bunch of different TOTP generators and fed them a variety of negative numbers. They all crashed.

So, no. TOTP doesn't work for anyone travelling backwards in the 4th dimension. Pity.

Is there a serious point to this? Well, sort of.

Negative time is an unexpected input and leads to unusual behaviours. Could a crash in HMAC generation lead to an exploit?

Standards get used in all sorts of places - including retrospectively. Should standards writers specifically account for inputs which occur in the past?

How should computers deal with "preposterous" times?

What other common security tools fail if they're subjected to time-travel?

Which Beatles concert would you go to in 1966?


  1. As an aside, in 1970, the UK was on BST - British Standard Time rather than GMT / UTC. ↩︎

  2. Or, if you're stuck using 32 bit time, until the year 2038↩︎


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

4 thoughts on “Can time-travellers use TOTP codes?”

  1. said on tech.lgbt:

    @Edent fun question of how your totp device knows the time. If you've gone back before the 70s there isn't GPS to sync to. If the totp device doesn't know it's time travelling then it's clock probably still thinks its minutes after it left. Hope all of you jumped at the same time.

    If you jump back to the same time you left, you now get clock drift errors as you've accumulated the time you spent in the past and your clock thinks it's in the future.

    Of course if you've invented a time machine you can probably make a clock that understands that it's been time travelled.

    Reply | Reply to original comment on tech.lgbt
  2. said on dice.camp:

    @Edent slightly related, I seem to remember lots of discussion around the HTML5 time element, where the creators expected it to be used for current calendars and precise dates, and a bunch of us working in libraries and archives wanted to understand if it would work for a pamphlet published in the missing 11 days of 1752. The world is full of unexpected inputs.

    Reply | Reply to original comment on dice.camp

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">