Authentication & Password

TOTP (Time-Based One-Time Password)

About 4 min read

Last updated: 2026-02-20

What Is TOTP

TOTP (Time-based One-Time Password) is an algorithm that generates a new 6-digit one-time password at regular intervals (typically 30 seconds) by combining the current time with a shared secret key. Standardized in RFC 6238, it is widely adopted as an implementation method for two-factor authentication.

Authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy use this mechanism. By entering the 6-digit code displayed in the authenticator app in addition to your password when logging in, unauthorized access can be prevented even if your password is compromised.

How TOTP Works

The operating principle of TOTP is simple yet robust.

  1. Sharing the Secret Key: When you set up TOTP on a service, the server generates a secret key (typically a 160-bit value encoded in Base32). This key is displayed as a QR code, which is scanned by the authenticator app to store it on the app side
  2. Calculating the Time Counter: The current Unix timestamp divided by 30 (integer value) is used as the counter. Since both the server and app reference the same time, they arrive at the same counter value
  3. Generation via HMAC-SHA1: The secret key and counter value are input into the HMAC-SHA1 algorithm to produce a hash value. A 6-digit number is dynamically extracted from this hash
  4. Verification: The server performs the same calculation and verifies whether it matches the code entered by the user. To account for time drift, codes from 1-2 steps before and after are typically also accepted

The secret key never travels over the network, and generated codes become invalid after 30 seconds. Even if a code is entered on a phishing site, the window for an attacker to reuse it is extremely limited.

Comparison with SMS Authentication

While SMS authentication is also widely used for two-factor authentication, TOTP is superior in terms of security.

  • Resistance to SIM Swap Attacks: SMS authentication is vulnerable to SIM swap attacks where attackers trick carriers into transferring the phone number. TOTP generates codes using the secret key on the device, so phone number hijacking cannot bypass it
  • Communication Channel Security: SMS can be intercepted due to SS7 protocol vulnerabilities. TOTP requires no network communication, eliminating interception risk
  • Offline Operation: TOTP can generate codes even when the device is offline. SMS cannot be received in areas without cellular coverage
  • Cost: SMS delivery incurs costs for the service provider. TOTP is completed with server-side computation only

However, TOTP also has weaknesses. It is vulnerable to real-time phishing attacks (relay-type phishing where attackers immediately forward entered codes to the legitimate site). For protection against this, authentication methods with phishing resistance like passkeys are effective.

Choosing an Authenticator App and Backup

The most important factor when choosing an authenticator app is backup capability. If you lose access to your authenticator app due to device loss or failure, you risk being locked out of all registered services.

  • Authy: Supports cloud backup and multi-device sync. Easy recovery when a device is lost
  • Microsoft Authenticator: Supports backup to iCloud / Google account. Strong compatibility with enterprise environments
  • Google Authenticator: Supports sync to Google account (since 2023). Simple and lightweight
  • 1Password / Bitwarden: Can manage password manager and TOTP in one place. Highly convenient, but storing passwords and TOTP together technically reduces the independence of the two factors

Regardless of which app you choose, always store the recovery codes (backup codes) displayed during TOTP setup in a safe place. Recommended methods include printing on paper and storing in a safe, or saving in an encrypted file.

To learn more about this topic, see Two-Factor Authentication (2FA): The Best Defense for Your Accounts.

Common Misconceptions

Setting up TOTP completely prevents phishing
TOTP is effective as a defense against password leaks, but is vulnerable to real-time relay phishing (where attackers immediately forward entered codes to the legitimate site). For complete phishing resistance, use passkeys or FIDO2 security keys.
Authenticator app codes are device-specific so no one else can generate them
TOTP codes are calculated from the secret key and current time, so anyone who knows the secret key can generate the same code. Never show others your QR code screenshots or secret key strings.

TOTP vs. SMS Authentication

TOTP (Authenticator App)

Generated on device. Resistant to SIM swap attacks. Works offline. Requires secret key backup.

SMS Authentication

Sent to phone number. Vulnerable to SIM swap attacks. Requires cellular signal. Easy to adopt as long as you have a phone number.

Share

Related Terms

Two-Factor Authentication (2FA) A security method that requires an additional authentication factor beyond a pas… Passkey A passwordless authentication technology based on the FIDO2/WebAuthn standard th… Single Sign-On (SSO) A mechanism that allows users to access multiple related services and applicatio… Phishing An attack method that impersonates legitimate organizations, banks, or individua… OAuth 2.0 An authorization framework (RFC 6749) that grants third-party applications limit… SIM Swap Attack A fraud technique where an attacker convinces a mobile carrier's customer servic…

Related Articles

Two-Factor Authentication (2FA): The Best Defense for Your Accounts Understand how 2FA works, the different types (SMS, TOTP, FIDO2), how to set it up, and why password… Password Security: How to Create Strong Passwords and Manage Them Learn what makes a strong password, how to use password managers, how to check for breaches, and com… Two-Step Verification Explained - SMS, Authenticator Apps, and Security Keys Compare three two-step verification methods (SMS, TOTP authenticator apps, FIDO2 security keys) by s…
← Glossary