GitHub Designed by Logto

What is TOTP?

A Time-Based One-Time Password (TOTP) is a temporary, unique code generated by an algorithm that uses the current time as a key factor. Similar to a generic One-time password (OTP) , a TOTP is used only once, but it has a fixed lifespan, typically ranging from 30 to 60 seconds. Upon expiration, a new code is generated automatically.

The TOTP standard is defined by the Internet Engineering Task Force (IETF) under RFC 6238 , and it is widely adopted in various two-factor authentication (2FA) and multi-factor authentication (MFA) systems. Because TOTPs rely on synchronized time between the client (user device) and the server, they offer a high level of security and are difficult to predict or reuse.

How TOTP works

The generation of a TOTP involves the following steps:

  1. Shared secret: During the initial setup, a shared secret key is generated and stored securely on both the client and server. This key is typically encoded as a QR code which users scan using an authentication app.
  2. Time intervals: The current time is divided into fixed intervals, usually of 30 seconds.
  3. Algorithm application: The shared secret key and the current timestamp are fed into a hash-based algorithm (often HMAC-SHA1) to produce a unique numeric code.
  4. Synchronization: Both the client and server generate the code independently using the same shared secret and current timestamp. The codes match only if both are in sync.
  5. Verification: When the user logs in or performs a critical transaction, they enter the TOTP displayed on their authentication app. The server then compares it with its internally generated TOTP for validation.

When to use TOTP

In most cases, a normal OTP is recommended, but in the cases where it is unable to “trigger” a new passcode, then TOTP is recommended.

  • TOTP example: Authenticator App
  • OTP example: Email, SMS

What are the difference between OTP and TOTP?

The main difference is that TOTP is time-based, so it is suitable when the device is not connected to the server. The server can easily send a new passcode to an email address or a phone number, but that requires the email or phone to be online. However, the Authenticator App can stay offline and use “time” to verify the passcode.

See also