TOTP

Time-based One-Time Passwords (TOTP) are commonly used for user authentication, but in remote attestation, they can serve as a lightweight mechanism to ensure freshness and prevent replay attacks.

Attestation technologies such as AMD SEV-SNP and Intel TDX offer hardware-based integrity and cryptographic identity, but they do not inherently prove the freshness of an attestation. By embedding a TOTP in the attestation payload, for example through a custom annotation, it becomes possible to confirm that the report was generated within a valid and recent time window.

During provisioning, the attester and verifier share a TOTP secret. The attester includes a current TOTP value in the attestation. The verifier then independently calculates the expected TOTP and accepts the report only if it matches.

This method offers a balance of simplicity and security: since the TOTP is embedded within the signed attestation and refreshes typically every 30 seconds and renders outdated reports invalid. It eliminates the need for nonce-based freshness checks while still guarding effectively against replay attacks.

In practice, a confidential VM might include a TOTP token in its SEV-SNP attestation, allowing a verifier to confirm both the integrity and freshness of the attestation in a single step.