Saturday, July 20, 2024

Many are aware that one-time password generation algorithms, such as HOTP, TOTP, and OCRA, have long been used in two-factor authentication systems. The use of TOTP tokens as Electronic Visit Verification FOB has gained widespread popularity. What are the peculiarities of employing the TOTP algorithm for EVV purposes? These and other questions will be addressed below.

The aim of this article is to explore the synergy of various technologies and assess the reliability of TOTP tokens (Time-Based One-Time Password) as an authentication method in EVV (Electronic Visit Verification) systems. We will conduct a comprehensive analysis of the role of TOTP tokens in ensuring the security and reliability of EVV systems, examine their advantages and limitations, and determine their relevance in this context. 

Once again, what is Electronic Visit Verification?

Electronic Visit Verification (EVV) is a significant technology used in the healthcare and home services industries. This system is designed to efficiently record and verify the visits of healthcare workers and service providers to their patients. EVV plays a crucial role in enhancing the reliability and accuracy of visitation data, which is vital for ensuring quality care and compliance with regulations.

Its primary objective is to ensure the authenticity and accuracy of visitation information. Participants in the EVV system must have confidence that the visitation data is accurate. EVV encompasses a wide range of functions, including time tracking, location tracking, identification of healthcare workers, and service documentation.

At present, Electronic Visit Verification is widely implemented and used in various countries, especially in the United States and Canada.

Key components of EVV systems

The main components of EVV systems include authentication tools, as well as management and monitoring systems. The interaction of these components ensures the effective functioning of the EVV system. Authentication can be facilitated through specialized applications installed on smartphones or EVV FOB (token).

Such an Electronic Visit Verification FOB is specifically designed for authentication (code generation) and does not perform functions such as worker geolocation tracking, but it can operate independently without the need for a phone, application, mobile network, or the internet. It is entirely autonomous.

Electronic Visit Verification FOB

TOTP tokens as an authentication method

TOTP (Time-Based One-Time Password) is a method for generating one-time passwords based on time. It uses a secret key and the current time to generate a unique password that is valid for a short period.

How do TOTP tokens work in two-factor authentication systems?

During authentication, the user enters a one-time password generated by their token into the authentication form. This data is transmitted to the authentication system. On its side, the system generates a one-time password based on the user’s current token-specific secret key and the current time, then compares it with the password provided by the user. If they match, the user successfully authenticates.

How do TOTP tokens work in EVV systems?

In an EVV system, when a healthcare worker arrives at a patient’s location, they record a code from the token. Then, when the service session is completed, the healthcare worker records another code. These codes are then transmitted to the EVV system through a specific method, either by phone or via the Internet. The EVV system generates pairs of values: all the codes for the relevant time period and their corresponding timestamps. By using the codes provided by the healthcare worker, the system identifies the time corresponding to each code.

Issues with TOTP Tokens in EVV Systems

1. Duplicate Codes – Technical Problem
2. False Code Generation – Employee Fraud

Let’s delve into these two issues and explore methods to minimize the associated risks.

Duplicate Codes

Using a large time interval to determine the time corresponding to a code may result in the duplication of codes.

Let’s calculate the probability of duplicate code occurrence. In a single day, a TOTP token with a 30-second password lifespan generates (codes):

2 * 60 * 24 = 2,280

The range of values for codes on a 6-digit token is:

10^6 = 1,000,000

Probability of duplicate codes:

2,280 / 1,000,000 = 0.00228

In other words, a duplicate on a specific 6-digit TOTP token with a 30-second OTP lifespan occurs approximately every 438 days. While this may seem infrequent, if you are managing 500 or more tokens, you will encounter this issue daily.

Possible ways to reduce the negative impact of duplicates or decrease their occurrence include reducing the search intervals in the analysis algorithm, considering both check-in and check-out codes, and using tokens with 8 characters and a 1-minute OTP lifespan.

Let’s calculate the probability of duplicates for this token. In one day, a TOTP token with a 1-minute password lifespan will generate (codes):

60 * 24 = 1440

The range of values for codes on an 8-digit token is:

10^8 = 100,000,000

The probability of duplicate occurrence:

1440 / 100,000,000 = 0.0000144

In other words, a duplicate on a specific 8-digit TOTP token with a 60-second OTP lifespan will occur approximately every 69,444 days or once every 190 years.

False Code Generation

Sometimes, EVV companies issue tokens to healthcare workers who may generate codes without actually visiting the patient and then transmit them to the system. It is also possible to generate the check-in code before the actual visit.

To mitigate the risk of this issue, it is crucial for the patient to register the codes or monitor their retrieval from the token and transmission to the EVV system. However, this may not be very convenient.

A simple and reliable alternative is to issue tokens to patients, who can then provide the start and end visit OTP codes to the worker. The drawback of this scheme is the need to issue tokens to multiple patients, likely fewer in number than healthcare workers.


This article delves into the integration of Time-Based One-Time Password (TOTP) tokens into Electronic Visit Verification (EVV) systems, examining their reliability and functionality in this context. EVV, a critical technology in healthcare and home services, plays a pivotal role in enhancing visitation data accuracy and ensuring quality care. TOTP tokens, widely used in two-factor authentication, offer a robust solution for verifying visits in EVV systems.

Key components of EVV systems, including authentication tools and management systems, work in synergy to secure the authentication process. While TOTP tokens are primarily designed for code generation, they operate independently, making them suitable for EVV purposes.

The article also highlights two critical issues: duplicate codes and false code generation. Duplicate codes, arising from large time intervals, can be addressed by reducing search intervals, considering both check-in and check-out codes, or using tokens with longer OTP lifespans. Calculations reveal that with the latter approach, the probability of duplicates occurring is exceptionally low.

False code generation, often a concern in EVV systems, can be mitigated by involving patients in code registration or monitoring. Alternatively, tokens can be issued to patients for them to provide start and end visit OTP codes to healthcare workers, ensuring an additional layer of verification.

In summary, TOTP tokens offer a secure and efficient authentication method for EVV systems, and while challenges exist, they can be effectively managed to enhance the accuracy and reliability of visitation data, ultimately leading to improved patient care and compliance with regulations.

Choose your TOTP token


Subscribe our Newsletter for new blog posts & tips. Let's stay updated!


Leave a Comment


John McHacker

John was a computer programmer and hacker known for his expertise in breaking into secure computer systems. He developed a reputation as a master of computer security and was often hired by companies to test the strength of their cybersecurity measures.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept