2019 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS)
Implement Time Based One Time Password and
Secure Hash Algorithm 1 for Security of Website
Login Authentication
1st Henki Seta 2nd Theresia Wati
Universitas Pembangunan Nasional Universitas Pembangunan Nasional
Veteran Jakarta Veteran Jakarta
Jakarta, Indonesia Jakarta, Indonesia
henkiseta@upnvj.ac.id theresiawati@upnvj.ac.id
Abstract— The use of information systems is a solutions to
support the operations of the institution. In order to access
information systems in accordance with their access rights,
usually the user will enter a username and password as the
authentication process. However, this has a weakness if the
other side is cheating by sniffing or tapping user passwords. This
makes the password unsafe to use for access information
systems. If the username and password if it is stolen, abuse will
occur for the crime or theft of the owner's identity accounts like
name, email, telephone number, biological mother's name,
account number and others. One solution is to apply two factor
authentication method which is Time-Based One Time
Password (TOTP) and Secure Algorithm Hash Algorithm 1
(SHA1). With this method, the system Authentication of a
website or site does not only depend on the username and
password to enter the account user but the user will get a token
or code which is used to log in to the user's account. After testing
hundred times, the authentication process who use Two Factor
Authentication can tackle possible attacks on abuse o user access
rights. Time Based Application One Time Password and Secure
Hash Algorithm 1 Generate code that can’t be the same because
of the code it can only be used once with a time limit certain so
it is difficult to guess. SHA1 with long input different strings will
produce output with a fixed length string of 160 bits. Test results
are obtained the results that 30 seconds is enough to prevent
hackers log in and take over the account without permission and
also prove that two-factor authentication can increase the
security of the authentication process well. The time above is the
result of testing the process user authentication until the hacker
sniffing against tokens to try to take over the account.
Keywords— Time Based One Time Password, Secure Hash
Algorithm 1, Two-Factor authentication, Authentication, Website
I. INTRODUCTION
Technological advances make humans able to share live
information such as gaming activities, send songs, watch
videos, see movies, download music, pictures, articles, and
much more done with technological advancements. All of that
can be done by having an account on the site which is aimed.
By registering or having account on the destination site, users
can use facilities provided by the site. Passwords prevent third
parties from accessing sensitive data. The method of the
username/password is the most simple and common identity
authentication method. In fact, because many users are in
order to prevent forgotten the password, they often use a
password such as their or family’s birthday, telephone
numbers and easy to be guessed by others, that has many
security hidden danger (Wang et al, 2013).
If such services do not properly secure passwords, the data
of thousands of users can be at risk. But what is it happens if
there is a side is not responsible to access your account, they
978-1-7281-2930-3/19/$31.00 ©2019 IEEE
3rd Ilham Cahya Kusuma
Universitas Pembangunan Nasional
Veteran Jakarta
Jakarta, Indonesia
ilhamcahyakusuma@gmail.com
can damage your data, steal your confidential information,
misuse your account by using it for actions that are not
responsible and much more. Because information is so
valuable, information is often the target of hackers. therefore
the security of information becomes something important and
must be maintained properly. Information security on
basically functions to protect and protect information so no
one can read, edit, or change the information without
permission. One way of minimizing the risk is to use two-
factor authentication or multi-factor authentication.
OTP is based on a hash chain constructed using only the
cryptographic hash function, in which the hash chain is the
main engine for OTP generation (Park, C. S,2018). OTP is
therefore very difficult for criminals to obtain the second
factor, as even if they know the static password, it's very hard
for them to obtain the TOTP, especially as they have barely
any time to crack it. SHA-1 generates a 160-bit hash value and
is often used (Google Authenticator, for example). By using
Time-Based One Time Password (TOTP) and the SHA 1
algorithm does not only depend on the system username and
password only for system security their authentication, but
also requires tokens or codes used to log in to their account.
II. TIME-BASED ONE TIME PASSWORD DAN SECURE HASH
ALGORITHM 1
A. Time-Based One Time Password
Dynamically generated OTPs are created during an
authentication session by means of some secret parameters
that are known only to the client and server and not stored so
an attacker is not able to steal them (Babkin & Epishkina,
2018). Bicakci protocol is provided in which OTPs are
generated and verified by means of asymmetric cryptography
(Bicakci & Baykal N, 2002). According to Daqiqil Id et al.
(2016), the TOTP algorithm is similar with HOTP.
This algorithm also depends on the shared secret key and
the moving factor ut the process of generating moving factors
is different. At TOTP moving factor will continue to change
depending on time generate. The calculation process is the
same as HOTP. The general form of TOTP is TOTP = HOTP
(K,T). Where K is the shared secret key and T is an integer
value that represents time. T is calculated using the function:
TOTP = HOTP ( K, T )
Where K is the shared secret key and T is an integer
value that represents time. T is calculated using the function:
𝑇𝑐𝑢𝑟𝑟𝑒𝑛𝑡 − 𝑇0
𝑇=
𝑥
Tcurrent is the current time in seconds whereas T0 is
agreed upon initial initiation, usually the value is set to zero
115
 2019 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS)

(T0 = 0). The parameter X determines how long a TOTP is TEMP = S5(A) + ft(B,C,D) + E + Wt + Kt
valid. The standard used is 30. So by filling in X = 30, we
E = D; D = C; C = S30(B); B = A; A = TEMP.
allow one OTP is only valid for 30 seconds.
g. Calculate Hash Value :
B. Secure Hash Algorithm 1
SHA-1 is an SHA hash functions is fast and sensitive to H0 = H0 + A ; H1 = H1 + B ;
the input message. It takes a message with a maximum of (264 H2 = H2 + C ; H3 = H3+ D ;
− 1) bits and returns a message digest of 160 bits. SHA-1 is
commonly used in cryptographic applications and H4 = H4 + E.
environments where the need for data integrity is high, to The result of the message digest of 160 bits from
index hash functions, to identify data corruption and string M is : H0 H1 H2 H3 H4. The SHA 1 hash
checksum errors. computing analogy can be seen in picture 1.
According to Aryasa and Paulus (2014), SHA 1 received The SHA 1 hash computing analogy can be seen in picture
input is a string with a maximum size of 264 bits. For each 1..
string, SHA 1 will produce an output 160 bits of that string
and that outputs string called message digest. Long message
digest distance can be range from 160 to 512 bits depending
on the algorithm. Based on its characteristics SHA 1 can be
used with other cryptographic algorithms such as Digital
Signature Algorithms or in generation of random numbers
(bits). SHA 1 is said to be safe because the SHA 1 process is
counted infinitely to find a appropriate string for generate
message digest or can also be used to find two different strings
that will produces the same message digest. On SHA 1 each
block has a 512 bit which can done in 16 sequences of 32 bits.
SHA 1 used to calculated message digest in strings or data file
provided as input. Purpose the charging string is to produce
the total of the string which is filled into multiplication of 512
bits. Algorithm SHA 1 can be summarized as follows :
a. The calculation uses two buffers where each buffer
consists of five by 32 word bits and the other of 80
are also 32 words. The first five words in the word Fig.1.Hash computing analogy on SHA 1
buffer are named A, B, C,D,E while the second five (Source : Jurnal SPEKTRUM Vol. 3, No. 2 Desember 2016)
words are named H0, H1, H2, H3, and H4. Then at 80
words which are named W0, W1, ...., W79 and in this
calculation also uses a temporary variable, TEMP. III. RESEARCH METODOLOGY
The method used by the author in this study is the USDP
b. Fill in the string, M and then send the string into N
(Unified Software Development Process) by using UML
512 bit blocks string M(1), M(2),....,M(n). How: the
(Unified Modeling Language) tools. USDP itself is a new
first 32 bits from the string block indicated to M0(i),
then 32 bits next is M1(i) and then applies up to M methodology used in software development and system, this
15(i). method is the beginning of the formation of seven other
methodologies. UML is a tool used for describe a system or
c. Hash value initialization (in hex form) : software. UML also a way to make it easier for developers to
H0 = 67452301 develop a system or application of one developer to another
developer. Figure 2 is a plot the stages of the research to be
H1 = EFCDAB89 carried out.
H2 = 98BADCFE
H3 = 10325476
H4 = C3D2E1F0
d. Perform the process M1, M2,...Mn in a way divides
Mi into 16 words W0, W1,....,W15 where W0 is the left
most.
e. Calculate : For t = 16 to 79
Wt = S1 (Wt-3 Wt-8 Wt-14 Wt-16)
f. Initialize 5 variables A,B,C,D, and E with Hash
Value :
A = H0; B = H1; C = H2; D = H3; E = H4.
Calculate: For t = 0 to 79

978-1-7281-2930-3/19/$31.00 ©2019 IEEE 116

 2019 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS)

made using Two Factor Authentication to improve security in

the user login authentication process.
A. Use Case Diagram
There are two main activities carried out by users, namely
to active the device token and token verification process. The
activity is outlined in the use case diagram in Figure 1.
Activation of the token device can be done in two ways,
namely scanning the QRCode or entering the shared key
directly. There are two activities that can be done bu the user
including the user logging in by entering the username,
password, and verification token. Another activity is the
registration process users and scanning of QRCode, you can
show in Figure 4.

Fig.2.2 Flowchart of Research

After conducting a system and design analysis, next stages

is implementation the authentication system using 2FA
(TOTP and SHA1) and also done a series of tests on systems
that use 2FA, to see if the authentication system is using 2FA
is safer than systems that don't use 2FA.

Fig.4. Use Case Diagram

IV. RESULT
A. Analysis of an Authentication System Without a Two-
Factor Authentication (2FA)
At this stage, observation and testing are carried out to find
out the weaknesses of the authentication system only use the
username and password as website login security. After
testing against the system using the wireshark tools shown in
Figure 1, the username and password directly seen very
clearly when the user processes login. So it will be easier for
a hacker to take over a user account.
B. Activity Diagram Login
The login process can be seen in Figure 5, user login by
entering your username and passwor, then the system will
check the data entered by the user the same as data stored in
the database. After the same result then continues to enter the
pin code from the Google Authenticator application. The
system will check whether the code is valid or not, if the code
is valid it will directly redirected to the profile page.

Fig.3. Testing the authentication process

And after testing 100 times, against authentication

processes that do not use 2FA. Testing is done on 20 users
where one user conducted experiments 5 times and produce
the username and password are clearly visible without being
there additional protection, thus creating a security hole which Fig.5. Activity Diagram Login
hacker can enter to take over account very easily. Based on the
above analysis then the authentication system design was

978-1-7281-2930-3/19/$31.00 ©2019 IEEE 117

 2019 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS)
After logging is successfully, the user will be redirected to
the page verify to enter the pin code in the Google
Authenticator application to the verification input form like
Figure 6 below.
Fig.6. Verification page
Fig.7. Verification process
Figure 7 above explains where the verification process the
system will calls the verifyCode function which contains 2
variables namely secret_key and scan_code then do checking
whether the pin code entered the code is suitable or not or has
expired.
C. Activity Diagram Register
Registration process as shown in Figure 8, the user enters
the name, address, username and password the the system will
check availability username. If a username is available the
system will display QRCode that users must scan with Google
Authenticator application for get a pin code. After getting the
pin code from the application user enters the code then the
system will check whether the pin code is valid or not. If valid
the user wil be forwarded or redirected to the profile page.
Fig.8. Activity Diagram Register
D. Class Diagram
Based on the results of the analysis the class was arranged
the diagram in figure 9, there is one class that is necessary so
978-1-7281-2930-3/19/$31.00 ©2019 IEEE
that all the required processes can walk. The class functions
to generate keys shared secret, get the QRCode URL, and
validate TOTP password.
Fig.9. Class Diagram
E. Testing
From the results of the above implementation to testing of
the authentication system security using TOTP and SHA 1
with an authentication system who do not use TOTP and SHA
1. Tools which used is Wireshark to analyze protocols
network, record all data packets that pass by as well select and
display the data in as much detail maybe like a username and
password. Figure 10, is the best result of the test.
Fig.10. Testing of the authentication process with Two Factor Authentication
(TOTP and SHA1)
After sniffing using Wireshark, username and password
are very clearly visible. However, the password is encrypted
with the SHA 1 algorithm so make it difficult for the attacker
or hacker to take over and using an account without
permission. And user tokens only used one time based on a
certain time.
After testing 100 times, process authentication using 2FA.
Testing is also done to 20 users where one user was also
experimented 5 times and produce a password result
encrypted with SHA 1, making it difficult for hackers to take
over the account because of the users password has been
encrypted by SHA 1 and has to be added enter a verification
code that only belongs to the user.
Based on the test results obtained within 30 seconds
enough to prevent hackers from entering and taking over
account without permission and also prove that 2FA can
increase the security of the authentication process more well.
The time above is the result of testing the process user
authentication until the hacker sniffing against tokens to try
to take over the account.
118
 2019 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS)
Tests that carried out on SHA 1, is it capable to protect a
password from hacker using website-based SHA1 decryptor
https://hashkiller.co.uk/sha1-decrypter.aspx. Some password
can be decrypted after analyzing the password cannot be
decrypted is a long password only 8 characters and only use
uppercase, lowercase letters and numbers.
Fig.11. Passwords that cannot be decrypted
Based on Figure 11, for password that cannot decryption
is a password consisting of at least 8 or 9 characters
containing uppercase, lowercase letters, and numbers, after
try to decrypt through the website, the results are not found
which means the password cant be decrypted.
Fig.12. Password that can be described
Figure 12 shows, the password can be decrypted is a
password consisting at least 8 or 9 characters which only
contains lowercase letters and numbers, after tried to decrypt
through the website the results found by displaying the
password which is error404 means the password cannot be
decrypted.
V. CONCLUSION
Based on the results of two factor authentication
research (2FA) with the Time Based One Time Password and
Secure Hash Algorithm 1 (SHA 1) algorithm produces a better
and safer authentication process tackle possible attacks on
abuse of user access rights. Time Base On Time Password and
SHA 1 generates code which may not be the same because the
code can only be used once with a certain time limit so
unpredictable. Based on the results of security testing, the
result is that SHA 1 with input string length will produce
different length outputs fixed string which is 160 bits. So that
the user account is relative safer from sniffing.
Secure the authentication process using TOTP and
SHA 1 still needs some improvement to improve security
including the use of passwords should be a combination of
978-1-7281-2930-3/19/$31.00 ©2019 IEEE
uppercase and lowercase, symbols to strengthen passwords.
Security password using SHA 1, some passwords still work in
decryption, so its better to use algorithm like SHA 256,
SHA512, or AES and adding a safety factor to being Three
Factor Authentication, so don’t just rely on the username and
password, pin code but also add one factor again for
authentication such as fingerprint or biometric, face
recognizing, or voice recognizing.
REFERENCES
[1] Aryasa, K., & Paulus, Y. T, “Implementasi Secure Hash Algorithm-1
Untuk Pengamanan Data Dalam Library Pada Pemrograman Java”,
Citec Journal, 2014, Vol 1, No 1, hal 57-66.
[2] Babkin, S., & Epishkina, A, “One-Time Passwords: Resistance to
Masquerade Attack. Procedia computer science, 2018, 145, 199-203.
[3] Bicakci, K., Baykal N, “Infinite length hash chains and their
applications.” Proceedings of 13th IEEE Int, 2002, Workshops on
Enabling Technologies: Infrastructure for Collaborating Enterprises:
55–61
[4] Id, I. D., Sukamto, & Mahdiyah, E, “Implementasi TOTP (Time-Based
One-Time Password) Untuk Meningkatkan Kemanan Transaksi E-
Commerce”, Konferensi Nasional Sistem & Informasi, 2016, hal 1-6.
[5] Indrawinatha, I. P., Sudarma, M., & Suryadnya, I. A, “Rancang
Bangun Aplikasi Antivirus Komputer Dengan Menggunakan Metode
Secure Hash Algorithm 1 (SHA1) Dan Heuristic String”.
SPEKTRUM, 2016, Vol. 3, No. 2, hal 100-106.
[6] Jones, I. P, “Easy Crypto for Developers and Users”, 2016. Diakses 15
April, 2018, dari Easy Crypto for Developers and Users - Tozny:
https://tozny.com/blog/whats-next-after-sms-one-time-passwords/
[7] Musliyana, Z., Arif, T. Y., & Munadi, R. (2016). Peningkatan Sistem
Keamanan Otentikasi Single Sign On (SSO) Menggunakan Algoritma
AES dan One-Time Password Studi Kasus: SSO Universitas Ubudiyah
Indonesia. Jurnal Rekayasa Elektrika Vol. 12, No. 1, hal 21-29.
[8] Park, C. S, “One-time password based on hash chain without shared
secret and re-registration”, Computers & Security, 2018, 75, 138-146.
[9] Santoso, K. I, Dua Faktor Pengamanan Login Web Menggunakan
Otentikasi One Time Password Dengan Hash SHA”, Seminar Nasional
Teknologi Informasi & Komunikasi Terapan 2013 (SEMANTIK
2013), 2013, hal 204-210.
[10] Santoso, K. I., Sediyono, E., & Suhartono, “Studi Pengaman Login
Pada Sistem Informasi Akademik Menggunakan Otentifikasi One
Time Password Berbasis SMS dengan Hash MD5”, Jurnal Sistem
Informasi Bisnis, 2013, Vol 1, hal 7-12.
[11] Sulianta, F, “Trik Mudah Menjebol Sekaligus Mengamankan
Password”, 2015, Bandung: Penerbit Andi.
[12] Suteja, B. R., & Christian, “Verifikasi Penjualan Melalui Web Site e-
Commerce dengan Menggunakan Metode Hashing (SHA)”, Jurnal
Sistem Informasi UKM, 2006, Vol. I, No. 1, 7-15 .
[13] Ungkawa, U., Dewi, I. A., & Putra, K. R, “Implentasi Algoritma Time-
Based One Time Password Dalam Otentikasi Token Internet Banking”,
Jurnal Informatika, 2017 hal 2-11.
[14] Wang, S. Q., Wang, J. Y., & Li, Y. Z, “The web security password
authentication based the single-block hash function”, IERI
Procedia, 2013, 4, 2-7.
119
 2019 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS)

978-1-7281-2930-3/19/$31.00 ©2019 IEEE 120