What is TOTP?
TOTP stands for Time-based One-Time Password. It generates short numeric codes that change on a fixed schedule (commonly every 30 seconds) using a shared secret and the current time. You’ll most often see TOTP in authenticator apps as a second factor: even if someone learns your password, they still need the temporary code from your device.
The standards behind it (RFCs)
TOTP is defined by RFC 6238. It’s built on top of the earlier HOTP algorithm (HMAC-based One-Time Password, defined by RFC 4226). You can think of it like this:
- HOTP generates a one-time code from a secret + a counter.
- TOTP replaces the counter with a counter derived from time.
That’s why TOTP codes “roll” automatically—time keeps increasing, so the effective counter changes on its own.
How TOTP works (high level)
Both your server and your authenticator app store the same secret key (often encoded as Base32 in a QR code). To compute a code, they:
- Compute a time step value (e.g.,
floor(currentUnixTime / 30)). - Use that step value with HMAC (a keyed hash) and the shared secret.
- Apply “dynamic truncation” to extract a smaller integer.
- Format it to a fixed length (commonly 6 digits, sometimes 8).
RFC 6238 specifies common parameters like a 30-second time step and default hashing (historically HMAC-SHA-1, with options for SHA-256 and SHA-512 as well).
Why it’s useful for 2FA
The main benefit is that the code is valid only briefly, which limits the time window for reuse. A stolen password alone isn’t enough; the attacker also needs the current TOTP code generated from the shared secret.
- Offline-friendly: authenticator apps can generate codes without a network connection.
- Widely supported: many services and apps implement RFC 6238.
- Simple UX: users just read a code and type it in.
Important security notes
- TOTP can be phished. If you type the code into a fake site, an attacker can use it immediately. (Phishing-resistant options include passkeys / WebAuthn, where the authenticator verifies the site.)
- Clock drift happens. Servers typically accept a small window (e.g., one step before/after) to tolerate minor device time differences.
- Protect the secret. Anyone who obtains the shared secret can generate valid codes forever (until you reset 2FA). Treat it like a password—don’t paste it into unknown apps or screenshots.
- Plan for recovery. Use backup codes, a second device, or secure vault backups so you don’t get locked out.
In short: TOTP is a standardized, time-synchronized way to produce one-time codes from a shared secret. It’s not perfect (especially against real-time phishing), but it’s still a strong upgrade over passwords alone.
Back to generatormade by h4nz4