Unit II
                                                      Fundamentals of Algorithms in Cybersecurity
Assignment Questions
Q1. Explain Data Encryption Standard (DES) and Rivest-Shamir-Adleman (RSA) Algorithms.
answer:1. Rivest-Shamir-Adleman (RSA) algorithm : 

RSA stands for Rivest-Shamir-Adleman. It is a cryptosystem used for secure data transmission. In RSA algorithm, encryption key is public but decryption key is private. This algorithm is based on mathematical fact that factoring the product of two large prime numbers is not easy. It was developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977. 



Here’s an example of how to implement the RSA algorithm in Python:



import random
 
# Function to check if a number is prime
 
 
def is_prime(n):
    if n <= 1:
        return False
    for i in range(2, int(n**0.5) + 1):
        if n % i == 0:
            return False
    return True
 
# Function to generate a prime number of specified length
 
 
def generate_prime(length):
    while True:
        prime_candidate = random.randint(2**(length-1), 2**length - 1)
        if is_prime(prime_candidate):
            return prime_candidate
 
# Function to calculate the greatest common divisor (GCD) of two numbers
 
 
def gcd(a, b):
    while b != 0:
        a, b = b, a % b
    return a
 
# Function to find the modular inverse of a number
 
 
def mod_inverse(a, m):
    if gcd(a, m) != 1:
        return None
    u1, u2, u3 = 1, 0, a
    v1, v2, v3 = 0, 1, m
    while v3 != 0:
        q = u3 // v3
        v1, v2, v3, u1, u2, u3 = (
            u1 - q * v1,
            u2 - q * v2,
            u3 - q * v3,
            v1,
            v2,
            v3,
        )
    return u1 % m
 
# Function to generate RSA keys
 
 
def generate_rsa_keys(key_length):
    # Generate two distinct prime numbers
    p = generate_prime(key_length // 2)
    q = generate_prime(key_length // 2)
 
    # Compute modulus
    modulus = p * q
 
    # Compute Euler's totient function
    phi = (p - 1) * (q - 1)
 
    # Choose encryption exponent e (usually a small prime number)
    e = 65537
 
    # Compute decryption exponent d
    d = mod_inverse(e, phi)
 
    return (e, modulus), (d, modulus)
 
# Function to encrypt a message using RSA
 
 
def encrypt(message, public_key):
    e, modulus = public_key
    encrypted = [pow(ord(c), e, modulus) for c in message]
    return encrypted
 
# Function to decrypt a message using RSA
 
 
def decrypt(ciphertext, private_key):
    d, modulus = private_key
    decrypted = [chr(pow(c, d, modulus)) for c in ciphertext]
    return ''.join(decrypted)
 
 
# Example usage
message = "HELLO"
 
# Generate RSA keys with a key length of 512 bits
public_key, private_key = generate_rsa_keys(512)
 
# Encrypt the message using the public key
encrypted_message = encrypt(message, public_key)
 
# Decrypt the ciphertext using the private key
decrypted_message = decrypt(encrypted_message, private_key)
 
print("Original Message:", message)
print("Encrypted Message:", encrypted_message)
print("Decrypted Message:", decrypted_message)
This code generates RSA keys, encrypts a message using the public key, and decrypts the ciphertext using the private key. The generate_rsa_keys function generates the public and private keys, encrypt function performs encryption, and decrypt function performs decryption. 

Output :

Original Message: HELLO
Encrypted Message: [343, 466, 125, 125, 141]
Decrypted Message: HELLO
In this example, the message “HELLO” is encrypted using the RSA algorithm with a randomly generated public key. The encrypted message is represented as a list of numbers. Then, the ciphertext is decrypted using the corresponding private key, resulting in the original message being retrieved successfully.

2. Digital Signature Algorithm (DSA) : 

DSA stand for Digital Signature Algorithm. It is used for digital signature and its verification. It is based on mathematical concept of modular exponentiation and discrete logarithm. It was developed by National Institute of Standards and Technology (NIST) in 1991. 

It involves four operations:

Key Generation
Key Distribution
Signing
Signature Verification


Here’s an example of how to implement the DSA (Digital Signature Algorithm) in Python using the ‘cryptography‘ library: 


from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import dsa
from cryptography.hazmat.backends import default_backend
 
# Key Generation
private_key = dsa.generate_private_key(
    key_size=1024,
    backend=default_backend()
)
public_key = private_key.public_key()
 
# Message
message = b"Hello, world!"
 
# Signature Generation
hash_algorithm = hashes.SHA256()
signature = private_key.sign(
    message,
    algorithm=hash_algorithm
)
 
# Signature Verification
try:
    public_key.verify(
        signature,
        message,
        algorithm=hash_algorithm
    )
    print("Signature is valid.")
except:
    print("Signature is invalid.")
The example showcases the generation of a DSA private key, signing a message using the private key, and verifying the signature using the corresponding public key. Depending on the validity of the signature, it will print either “Signature is valid.” or “Signature is invalid.”

Output :

Signature is valid.
This output indicates that the signature verification was successful, and the signature is valid for the given message and public key.

Difference between RSA algorithm and DSA :

RSA	DSA
It is a cryptosystem algorithm.	It is digital signature algorithm.
It is used for secure data transmission.	It is used for digital signature and its verification.
It was developed in 1977.	While it was developed in 1991.
It was developed by Ron Rivest, Adi Shamir and Leonard Adleman.	It was developed by National Institute of Standards and Technology (NIST).
It uses mathematical concept of factorization of product of two large primes.	It uses modular exponentiation and discrete logarithm.
It is slower in key generation.	While it is faster in key generation as compared to RSA.
It is faster than DSA in encryption.	While it is slower in encryption.
It is slower in decryption.	While it is faster in decryption.
It is best suited for verification and encryption.	It is best suited for signing in and decryption.																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																													   Q2. Explain Diffie-Hellman Key Exchange Algorithm With an Example																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																											     answer:Diffie-Hellman algorithm:
The Diffie-Hellman algorithm is being used to establish a shared secret that can be used for secret communications while exchanging data over a public network using the elliptic curve to generate points and get the secret key using the parameters.  

For the sake of simplicity and practical implementation of the algorithm, we will consider only 4 variables, one prime P and G (a primitive root of P) and two private values a and b.
P and G are both publicly available numbers. Users (say Alice and Bob) pick private values a and b and they generate a key and exchange it publicly. The opposite person receives the key and that generates a secret key, after which they have the same secret key to encrypt.

Step-by-Step explanation is as follows:  

Alice	Bob
Public Keys available = P, G	Public Keys available = P, G
Private Key Selected = a	Private Key Selected = b
Key generated = 

x = G^a mod P 

Key generated = 

y = G^b mod P 

Exchange of generated keys takes place
Key received = y	key received = x
Generated Secret Key = 

k_a = y^a mod P 

Generated Secret Key = 

k_b = x^b mod P 

Algebraically, it can be shown that 

k_a = k_b 

Users now have a symmetric secret key to encrypt
Example: 

Step 1: Alice and Bob get public numbers P = 23, G = 9

Step 2: Alice selected a private key a = 4 and
        Bob selected a private key b = 3

Step 3: Alice and Bob compute public values
Alice:    x =(9^4 mod 23) = (6561 mod 23) = 6
        Bob:    y = (9^3 mod 23) = (729 mod 23)  = 16

Step 4: Alice and Bob exchange public numbers

Step 5: Alice receives public key y =16 and
        Bob receives public key x = 6

Step 6: Alice and Bob compute symmetric keys
        Alice:  ka = y^a mod p = 65536 mod 23 = 9
        Bob:    kb = x^b mod p = 216 mod 23 = 9

Step 7: 9 is the shared secret.
Implementation:  

 
/* This program calculates the Key for two persons
using the Diffie-Hellman Key exchange algorithm using C++ */
#include <cmath>
#include <iostream>
 
using namespace std;
 
// Power function to return value of a ^ b mod P
long long int power(long long int a, long long int b,
                    long long int P)
{
    if (b == 1)
        return a;
 
    else
        return (((long long int)pow(a, b)) % P);
}
 
// Driver program
int main()
{
    long long int P, G, x, a, y, b, ka, kb;
 
    // Both the persons will be agreed upon the
    // public keys G and P
    P = 23; // A prime number P is taken
    cout << "The value of P : " << P << endl;
 
    G = 9; // A primitive root for P, G is taken
    cout << "The value of G : " << G << endl;
 
    // Alice will choose the private key a
    a = 4; // a is the chosen private key
    cout << "The private key a for Alice : " << a << endl;
 
    x = power(G, a, P); // gets the generated key
 
    // Bob will choose the private key b
    b = 3; // b is the chosen private key
    cout << "The private key b for Bob : " << b << endl;
 
    y = power(G, b, P); // gets the generated key
 
    // Generating the secret key after the exchange
    // of keys
    ka = power(y, a, P); // Secret key for Alice
    kb = power(x, b, P); // Secret key for Bob
    cout << "Secret key for the Alice is : " << ka << endl;
 
    cout << "Secret key for the Bob is : " << kb << endl;
 
    return 0;
}
// This code is contributed by Pranay Arora
Output:

The value of P : 23
The value of G : 9

The private key a for Alice : 4
The private key b for Bob : 3

Secret key for the Alice is : 9
Secret Key for the Bob is : 9																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																															       Q3. Explain Digital Signature Algorithm (DSA) With an Example.																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														                                      answer:A Digital Signature is a verification method made by the recipient to ensure the message was sent from the authenticated identity. When a customer signs a check, the bank must verify that he issued that specific check. In this case, a signature on a document acts as a sign of authentication and verifies that the document is authentic.

Suppose we have:

Alice is the entity that sends a message or initiates communication.
Bob represents the recipient or receiver of the message.
Eve represents an eavesdropper or adversary who may attempt to intercept or tamper with the communication.
In Public Key cryptography (also known as Asymmetric cryptography), the communication process is as follows:

Alice encrypts the message using Bob’s public key.
The encrypted message reaches Bob.
Bob decrypts the message sent by Alice using his private key.
Now, suppose when Alice sends a message to Bob, then Bob will check if the sender is authentic; to ensure that it was Alice who sent the message, not Eve. For this, Bob can ask Alice to sign the message electronically. So we can say that an electronic signature can prove that Alice is authentic and is the one sending the message. We called this type of signature a digital signature.

What is Digital Signature?
Digital Signature is a verification method. Digital signatures do not provide confidential communication. If you want to achieve confidentiality, both the message and the signature must be encrypted using either a secret key or a public key cryptosystem. This additional layer of security can be incorporated into a basic digital signature scheme.

Model of Digital Signature Process
Model of Digital Signature Process

Methods of Digital Signature
These two are standard Approaches to implement the Digital Signature:

Rivest-Shamir-Adleman (RSA)
Digital Signature Algorithm (DSA)
Rivest-Shamir-Adleman (RSA)
In the RSA approach, the message that needs to be signed is first fed into a hash function that generates a secure hash code of fixed length. The sender’s private key is then used to encrypt the hash code which makes it signature. The next step involves sending both the signature and the message to the intended receiver. For validation purposes, after receiving the message, the recipient first computes its hash-code. The sender’s public key is applied by recipient to decrypt this already encrypted signature. In case if decrypted signature corresponds to recipient-produced hashcode, that means that signature would be considered as valid. Since only the sender has access to the private key, only they could have produced a valid signature.

You can refer the below diagram for RSA, here,

M = Message or Plaintext
H = Hash Function
|| = bundle the plantext and hash function (hash digest)
E = Encryption Algorithm
D = Decryption Algorithm
PUa = Public key of sender
PRa = Private key of sender
RSA approach
RSA approach

Digital Signature Algorithm (DSA)
The DSA (Digital Signature Algorithm) approach involves using of a hash function to create a hash code, same as RSA. This hash code is combined with a randomly generated number k as an input to a signature function. The signature function depends on the sender’s private key (PRa) as well as a set of parameters that are known to a group of communicating principals. This set can be considered as a global public key (PUG). The output of the signature function is a signature with two components, s and r. When an incoming message is received, a hash code is generated for the message. This hash code is then combined with the signature and input into a verification function. The verification function depends on the global public key as well as the sender’s public key (PUa) which is paired with the sender’s private key. The output of the verification function returns a value equal to the signature’s component r, if the signature is valid. The signature function is designed in such a way that only the sender, with knowledge of the private key, can produce a valid signature.

You can refer below diagram for DSA, where,

M = Message or Plaintext
H = Hash Function
|| = bundle the plantext and hash function (hash digest)
E = Encryption Algorithm
D = Decryption Algorithm
PUa = Public key of sender
PRa = Public key of sender
Sig = Signature function
Ver = Verification function
PUG = Global public Key
DSA Approach
DSA Approach

Primary Termologies
User’s Private Key (PR): This key is publicly known and can be shared with anyone. It’s used to verify digital signatures created with a corresponding private key.
User’s Public Key (PU): A top-secret cryptographic key only possessed by the user is used in DSA algorithm’s digital signature generation. As it is, the private key must be kept secret and secure because it proves that a given user is genuine.
Signing (Sig): Signing involves creating a digital signature with the help of a user’s private key. In case of DSA, this process requires mathematical operations to be performed on the message that should be signed using a given private key in order to generate a unique signature for that message.
Verifying (Ver): Verifying is the process of verifying whether or not a digital signature has been forged using its corresponding public key. In DSA, this involves comparing the messages hash against the verification value through mathematical operations between two binary strings – one representing an encrypted data and another one representing plain-text original message.
Steps to Perform DSA
The Digital Signature Algorithm (DSA) is a public-key technique (i.e., assymetric cryptography) and it is used to provide only the digital signature function, and it cannot be used for encryption or key exchange.

The Steps to perform the Digital Signature Algorithm can be broadly divided into:

Global Public-Key Components
User’s Private Key
User’s Public Key
Signing
Verifying
1. Global Public-Key Components
There are three parameters that are public and can be shared to a set of users.

A prime number p is chosen with a length between 512 and 1024 bits such that q divides (p – 1). So, p is prime number where 2L-1 < p <2L for 512<= L<=1024 and L is a multiple of 64; i.e., bit length of between 512 and 1024 bits in increments of 64 bits.
Next, an N-bit prime number q is selected. So, q is prime divisor of (p – 1), where 2N-1 < q < 2N i.e., bit length of N bits.
Finally, g is selected to be of the form h(p-1)/q mod p, where h is an integer between 1 and (p – 1) with the limitation that g must be greater than 1. So, g is = h(p – 1)/q mod p, where h is any integer with 1 < h < (p – 1) such that h(p-1)/q mod p > 1.
If a user has these numbers, then it can selects a private key and generates a public key.

2. User’s Private Key
The private key x should be chosen randomly or pseudorandomly and it must be a number from 1 to (q – 1), so x is random or pseudorandom integer with 0 < x < q.

3. User’s Public Key
The public key is computed from the private key as y = gx mod p. The computation of y given x is simple. But, given the public key y, it is believed to be computationally infeasible to choose x, which is the discrete logarithm of y to the base g, mod p.

4. Signing
If a user want to develop a signature, a user needs to calculates two quantities, r and s, that are functions of the public key components (p, q, g), the hash code of the message H(M, the user’s private key (x), and an integer k that must be generated randomly or pseudorandomly and be unique for each signing. k is generated randomly or pseudorandomly integer such that 0<k < q.

Signing
Signing

5. Verification
Let M, r′, and s′ be the received versions of M, r, and s, respectively.

Verification is performed using the formulas shown in below:

w = (s′)-1 mod q
u1 = [H(M′)w] mod q
u2 = (r′)w mod q
v = [(gu1 yu2) mod p] mod q
The receiver needs to generate a quantity v that is a function of the public key components, the sender’s public key, and the hash code of the message. If this value matches the r value of the signature, then the signature is considered as valid.

TEST: v = r′

Verification
Verification

Now, at the end it will test on the value r, and it does not depend on the message or plaintext as, r is the function of k and the three global public-key components as mentioned above. The multiplicative inverse of k (mod q) when passed to the function that also has as inputs the message hash code and the user’s private key. The structure of this function is such that the receiver can recover r using the incoming message and signature, the public key of the user, and the global public key.

It is given that there is difficulty in taking discrete logarithms, it is not feasible for an attacker to recover k from r or to recover x from s. The only computationally demanding task in signature generation is the exponential calculation gk mod p. Because this value does not depend on the message to be signed, it can be computed ahead of time. Indeed, a user could precalculate a number of values of r to be used to sign documents as needed. The only other somewhat demanding task is the determination of a multiplicative inverse, k-1 .

Services
Message Authentication: A secure digital signature scheme, like a secure conventional signature (one that cannot be easily copied) can provide message authentication (also referred to as data-origin authentication). Bob can easily confirm that the plaintext/message is sent by Alice as Alice’s public key is used for verification and the Alice’s public key woult not verify the signature signed by Eve’s private key. Hence, A digital signature provides message authentication.
Message Integrity: When we sign a whole message, its integrity remains intact because if the message changes, we won’t get the same signature. Nowadays, digital signature methods use a special function called a hash function in both signing and verifying to ensure the message’s integrity.
Nonrepudiation: If Alice signs a message and later claims she didn’t, can Bob provide evidence that she did? For example, if Alice instructs a bank (Bob) to transfer $10,000 to Ted’s account and then denies sending the message, Bob needs to keep the signed message and use Alice’s public key to recreate it. However, this approach may not work if Alice changes her keys or disputes the authenticity of the file. A solution is involving a trusted third party. This trusted party can authenticate messages and prevent Alice from denying them. In this setup, Alice sends her message along with her identity, Bob’s identity, and her signature to the trusted center. The center verifies the message’s authenticity and timestamps it before creating its own signature. This process ensures that if Alice denies sending the message later, the center can provide evidence to settle the dispute. Encryption can also be added for confidentiality. Thus, nonrepudiation is achievable through a trusted party.
Advantages of DSA
Authentication: At some point, digital signatures ensure strong identity authentication for the sender. The recipient can be sure that the message or document was signed by the purported signatory.

Integrity: Digital signatures ensure the integrity of the content. If something is altered in the content after the signature is made, then it becomes invalid with respect to verifying the content.
Non-Repudiation: A digital signature gives non-repudiation, meaning the sender cannot disclaim his creation of that document post factum. Most relevant in legal and contractual issues.
Efficiency: Digital signatures make the process of signing electronic and automate it, giving way to fast online transactions free from the need of manual verification, paperwork, and a physical signature.
Security: As long as the whole digital signing process is well organized, digital signatures may prove to be secure. Cryptographic public key cryptography and hashing algorithms prevent unauthorized parties from forging digital signatures.
World Acceptance: Such a mechanism (digital signatures) to represent the conclusion of the related transaction in case of legal or contractual terms is known and widely accepted all over the world.
Timestamping: Timestamping would also make another secure layer against replay attacks and against the freshness of the signature.
Cost Savings: The digital signing process discontinues the need for transporting documents, thereby saving on costs to be done with printing, courier services, and manual handling.
Disadvantages of DSA
Key Management Complexity: Cryptographic keys that are used for signing documents must be properly managed. Generating, storing, and distributing keys in a secure manner are all complicated procedures that need to be attended to, and revocation has to be handled carefully.
Infrastructure Dependence: Digital signatures are built on a secure and reliable infrastructure of Public Key Infrastructure (PKI) and Certificate Authorities. If the infrastructure is compromised or becomes unavailable, it may compromise trust in digital signatures.
Legal and Regulatory Challenges: Although many people are increasingly using digital signatures, there might still be legal and regulatory challenges in some places. It will be very important to observe local laws and standards.
Initial Setup Costs: A proper setup of an extensive digital signature system may include the cost of obtaining certificates for digital certificates, putting in place safety measures, and training of the users.
Offline Usability: In the event of not having access to the signer’s private key, digital signatures are found to be challenged. Solutions of hardware tokens and secure elements add to the complexity.
User Education: Education of the proper application and value of digital signatures is necessary in order that the users should be educated in use. The correct measures to be taken against vulnerability, as well as being aware of any possible threat, are important in successful implementation.
Vulnerability to Key Compromise: Private keys need to be safeguarded from unauthorized access since one compromised private key can initiate fraudulent signature.																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																															  4. Explain the Following Types of One-time Password (OTP) Algorithms
with Examples:
a. Time-based OTP (TOTP) b. HMAC-based OTP (HOTP)
answer:The evolution of multi-factor authentication (MFA) is like that from the turning rotary phone, to the first mobile phones, and then the smartphones we use today. The ever-changing landscape of threats and best practices has led to constant innovation in authentication. The MFA we have today is vastly different from that of the ’90s when the earliest form of two-factor authentication (2FA) was invented and patented by AT&T.

2FA is just as the name implies: in addition to a password, an additional factor of authentication must be used to ensure the users' identity. This is especially true when it comes to your personal information (PII) or your organization’s proprietary information (PI). As we all know, a password is only as strong as the person using it, and to remember a password a user may tend to make it something easy like password123! or write it down and stick it to the back of their keyboard. This makes the idea of adding a second form of authentication very appealing as it could drastically decrease the risks associated with weak password policies and poor security practices. In fact, this has been proven to be highly effective at stopping cyber attacks using username and password combinations.

Multi-Factor Authentication (MFA) Assurance Levelsmulti-factor-authorization-assurance-levels

Unfortunately, cybercriminals are constantly evolving and finding new ways to steal login credentials and the data those credentials protect. To properly mitigate risk and keep sensitive information safe organizations need to do more than the traditional layers of defense. As we reviewed in our last blog post, multi-factor authentication (MFA) mitigates risk by requiring additional layers of authentication like something the user knows, has, and is. MFA is not only more secure – it also creates a more user-friendly experience because your users have confidence they are being protected.

In this blog, we want to go beyond the multi-factor authentication overview and look deeper into one of the most used types of MFA called One-Time Password (OTP) and the two primary methods: Time-Based One-Time Passwords (TOTP) and Hash-Based One-Time Passwords (HOTP).


What is a One-Time Password (OTP) and How Does it Work?
OTP is a subcategory of MFA and, as the name suggests, can only be used one time. This means that even if the password (sometimes referred to as a passcode) ends up in the wrong hands it cannot be reused, and the next login by the user will require a completely different authentication code. These one-time passwords can be accessed in various ways such as apps, an SMS text message, a proprietary token – like a YubiKey, email, voice/phone call, and more!

For this reason, OTPs are often used in conjunction with a username and password login as an additional security requirement for users (or multi-factor authentication). Many organizations see OTP as an important part of a secure foundation for strong authentication.

TOTP vs HOTP Authentication

TOTP-HOTP-Differences

 
Advantages + Disadvantages of OTP
Like anything else, there are both pros and cons to not only implementing a one-time password solution but also to the various one-time password solutions themselves. First, we'll take a look at the advantages and disadvantages of OTPs themselves, and then look at some of the various types of OTPs available, and which ones stand out amongst the crowd.

Advantages of One-Time Passwords
One-time passwords (OTPs) are single-use. The single-use password changes with each login attempt the risk of an account being hacked is drastically reduced.
One-time passwords (OTPs) that are randomly generated provide exponentially more security than user-created passwords. Humans are very likely to use the same password across multiple accounts – personal and business. This oversimplification is typical because it is easier for the user to remember which increases security risks.
Integrating One-time passwords (OTPs) makes it difficult for employees to share username and login credentials internally which makes it less likely the credentials could be obtained and used by hackers.
One-time passwords (OTPs) remove the need for memorization altogether since the OTPs are randomly generated by some sort of authenticator app, SMS, voice, email, or physical token.
Disadvantages of One-Time Passwords
User acceptance when implementing OTPs can have its challenges. The less tech-savvy users may find the process inconvenient, unnecessary, or confusing. This creates more work for IT teams by requiring additional explanations. Even users who appreciate and understand the security benefits of OTPs may end up frustrated or annoyed with the process if you don't allow OTP methods they are familiar with. These users prefer using an OTP delivery method that works with their mobile devices (which they are fess less likely to misplace or lose) such as mobile apps, SMS, or email.
If your organization uses hardware tokens for OTP such as a key fob, there’s always a probability the token might be misplaced or lost by a user in your organization. The results can be costly because the hardware is not cheap, and the user may be unable to perform their job functions until the token is replaced. Additionally, if someone else gets their hands on the hardware AND has the employee’s login credentials the consequences could be immense.
Possible delays in receiving an OTP via SMS or email. For example, email filters may send the code to SPAM.
 a. Time-based OTP (TOTP)																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																								 answer:A Time-Based One-Time Password (TOTP, or OTP) is a string of dynamic digits of code, whose change is based on time. Often, these appear as sic-digit numbers that regenerate every 30 seconds.

TOTPs are derived from a secret seed password given at user registration in the form of QR code or in plaintext. TOTPs (and their seeds) are deployed on either hardware security tokens or as soft tokens, meaning mobile device apps that display the numbers. TOTP uses Greenwich Mean Time (GMT) to cipher a code from the secret.

TOTPs are used for two-factor authentication (2FA) or multi-factor authentication (MFA), layered atop shared-secret based static password authentication. After a user has entered a username and password, they are prompted to input a valid TOTP in an additional login field as proof of possession.

Some TOTP-based 2FA and MFA works by having the TOTP arrive on the user's smartphone via SMS text message. This implementation, however, has for years been deprecated by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US federal government that researches and promotes technology innovation. The body observed that SMS 2FA and MFA are unsafe due to a known vulnerability in SS7, the protocol that enables different mobile network operators (MNOs) to communicate.

Barring a Man-in-the-Middle (MITM) attack, or compromise of their root secret, TOTPs add security to already-weak password authentication. Wwithout eavesdropping on SS7 or knowledge of the secret, for most hackers the codes are infeasible to anticipate as they are time-limited.

Example:
"My hardware token displays a TOTP that I use to log into my workstation. I begin by entering my username and password. Then I'm prompted for the TOTP, which I read off of the token and type into the third login field. Once I've done so, I'm logged in. I need to act fast because these codes start expiring, which — if I'm too slow — sometimes yields a login misfire and I need to try again with a fresher TOTP."

b. HMAC-based OTP (HOTP)																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																									 answer:HMAC-based one-time password (HOTP) is a type of one-time password (OTP) that is generated using a keyed-hash message authentication code (HMAC). In an HOTP system, the OTP is generated using a shared secret key, which is known only to the user's device and the authentication server. The OTP is calculated by applying the HMAC algorithm to a counter value, which is incremented each time a new OTP is generated. This ensures that each OTP is unique, and that it can be verified by the authentication server. HOTP is commonly used as part of two-factor authentication (2FA), where it is used in combination with a password or other credential to verify the user's identity. Because HOTP is based on a shared secret key, it is difficult for an attacker to guess or intercept the OTP, even if they know the user's password. This makes HOTP a secure and convenient way to provide additional protection against password-related attacks.