What is TOTP?
A Time-Based One-Time Password (TOTP) is a temporary, unique code generated by an algorithm that uses the current time as a key factor. Similar to a generic One-time password (OTP) , a TOTP is used only once, but it has a fixed lifespan, typically ranging from 30 to 60 seconds. Upon expiration, a new code is generated automatically.
The TOTP standard is defined by the Internet Engineering Task Force (IETF) under RFC 6238 , and it is widely adopted in various two-factor authentication (2FA) and multi-factor authentication (MFA) systems. Because TOTPs rely on synchronized time between the client (user device) and the server, they offer a high level of security and are difficult to predict or reuse.
How TOTP works
The generation of a TOTP involves the following steps:
- Shared secret: During the initial setup, a shared secret key is generated and stored securely on both the client and server. This key is typically encoded as a QR code which users scan using an authentication app.
- Time intervals: The current time is divided into fixed intervals, usually of 30 seconds.
- Algorithm application: The shared secret key and the current timestamp are fed into a hash-based algorithm (often HMAC-SHA1) to produce a unique numeric code.
- Synchronization: Both the client and server generate the code independently using the same shared secret and current timestamp. The codes match only if both are in sync.
- Verification: When the user logs in or performs a critical transaction, they enter the TOTP displayed on their authentication app. The server then compares it with its internally generated TOTP for validation.
When to use TOTP
In most cases, a normal OTP is recommended, but in the cases where it is unable to “trigger” a new passcode, then TOTP is recommended.
- TOTP example: Authenticator App
- OTP example: Email, SMS
What are the difference between OTP and TOTP?
The main difference is that TOTP is time-based, so it is suitable when the device is not connected to the server. The server can easily send a new passcode to an email address or a phone number, but that requires the email or phone to be online. However, the Authenticator App can stay offline and use “time” to verify the passcode.