$devtoolkit.sh/glossary/what-is-totp

What is TOTP? — Time-Based One-Time Password Explained

Definition

TOTP (Time-Based One-Time Password) is an algorithm defined in RFC 6238 that generates a temporary numeric code valid for a short time window (typically 30 seconds), used as a second factor in multi-factor authentication (MFA). It is the algorithm behind Google Authenticator, Authy, and other authenticator apps. TOTP codes are computed locally on the device without requiring network access, using a shared secret and the current Unix timestamp.

How It Works

TOTP is built on HMAC. During setup, the server generates a random secret key and shares it with the user (typically via a QR code containing an otpauth:// URI). To generate a code, the authenticator app takes the current Unix timestamp divided by 30 (the time step) and computes HMAC-SHA1(secret, time_counter). It then extracts a 4-byte dynamic truncation of the HMAC output and takes it modulo 10^6 to get a 6-digit code. The server performs the same computation and compares results, allowing a small window of adjacent time steps to account for clock drift.

Common Use Cases

  • Two-factor authentication (2FA) for user logins on websites and apps
  • Securing admin and privileged accounts against password-only compromise
  • Device-independent second factor that works offline (no SMS required)
  • Authenticating SSH logins with PAM TOTP modules
  • Protecting API access with time-limited secrets

Example

Setup:
1. Server generates secret: JBSWY3DPEHPK3PXP
2. User scans QR code in Authenticator app

Code generation (every 30 seconds):
- time_step = floor(unix_timestamp / 30)
- HMAC-SHA1(secret, time_step)
- Truncate to 6 digits
- Current code: 837621

Related Tools

#TOTP Generator

Generate time-based one-time passwords (RFC 6238) from a Base32 secret key.

FAQ

What is the difference between TOTP and HOTP?
TOTP (Time-Based) generates codes from the current timestamp, making codes expire every 30 seconds. HOTP (HMAC-Based One-Time Password, RFC 4226) generates codes from a counter that increments with each use. TOTP is more secure because old codes expire automatically; HOTP codes remain valid until used.
Is TOTP truly secure?
TOTP is far more secure than SMS 2FA because it is not vulnerable to SIM swapping. However, it is vulnerable to phishing — an attacker can create a fake login page that forwards the TOTP code in real time. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant and provide stronger protection.
What happens if my authenticator app is deleted or my phone is lost?
You need backup codes (one-time codes generated at setup), a backup authenticator app, or account recovery through the service. Always save your backup codes when setting up TOTP. Some services also allow multiple authenticator devices to be registered with the same account.

Related Terms

HMACHash FunctionUUID
/glossary/what-is-totpv1.0.0