Skip to main contentArrow Right
IdentipediaArrow Left

What is a Time-Based One-Time Password (TOTP)?

Share on:

Table of Contents

A time-based one-time password or passcode (TOTP) is an advanced yet straightforward auth method that improves security without compromising user experience (UX). It uses algorithms to generate temporary credentials that expire after a short duration, allowing authorized users to log in to a service but making it harder for attackers and other unauthorized persons to do so.

This guide will cover everything you need to know about TOTP:

  • What TOTP is and what forms it can take

  • How TOTP works and the processes involved

  • How TOTP compares to other auth methods

  • The benefits and potential drawbacks of TOTP

What is TOTP?

The TOTP protocol was published as RFC 6238 by the Internet Engineering Task Force (IETF) in 2011. A TOTP is a temporary code generated with an algorithm that uses a shared secret and the current time as inputs. This code is meant to grant users one-time access to an application.

TOTPs come in two main forms; they can be implemented as hardware and software tokens:

  • A TOTP hardware token is generally a physical fob or security key that displays the current code on a screen built into the device.

  • A TOTP software token is generally an authenticator application on a mobile device (like Authy or Google Authenticator) that displays the current code on the phone screen.

Unlike passwords, which are static and can be easily stolen, a TOTP code changes at set time intervals (usually 30 to 90 seconds) and is difficult for attackers to compromise. This makes TOTP a strong second factor in multi-factor authentication (MFA) or two factor authentication (2FA).

Here is an example of what a TOTP login flow could look like for a user:

Fig: Screenshots of Google Authenticator with TOTP codes (Source: Vox)
Fig: Screenshots of Google Authenticator with TOTP codes (Source: Vox)

How does TOTP work?

TOTP works like other OTPs, with the addition of a timer that regenerates the code at regular intervals. Before going into the specifics of time constraints, it’s important to understand how OTP generation algorithms work in general. Two inputs are used to generate OTP codes:

  • A seed. This is a static secret key that is shared between the token and the server. It is created when a new account is established on the authentication server. 

  • A moving factor. This is a component that changes every time a new OTP is requested or at set periods of time. It’s useful for all OTPs but absolutely essential for TOTP.

Fig: TOTP uses time as the moving factor
Fig: TOTP uses time as the moving factor

In TOTP, the seed is a secret key that is shared between the authentication server and the token during first-time use. The moving factor used by the TOTP algorithm is typically Unix time or a unit that’s derived from it. This algorithm uses a form of symmetric key cryptography since the same key is used by both the client and the server to independently generate the OTP.

Authentication using TOTP consists of two stages:

  • Registration, where the server generates the seed and communicates it to the client. This happens once, when the user chooses TOTP as their preferred 2FA factor for an app.

  • Validation, where the client generates a code and passes it on to the server for validation. This happens every time a user tries to authenticate using TOTP.

The time-based regeneration of codes with TOTP improves on the already strong security of OTP by giving potential attackers fewer shots at a less consistent target, since it’s always changing.

TOTP registration

Here’s a simplified flow for when TOTP authenticator apps are registered:

Fig: How TOTP registration works
Fig: How TOTP registration works

Step 1: The user enters their username and presents the first factor of authentication. They then choose authenticator apps as their preferred second factor while setting up 2FA.

Step 2: The server generates a shared secret key (the seed). The seed is embedded in a URL / QR code and passed on to the client. The server also stores the seed in a database (secret manager) for future retrieval.

Step 3: When the user clicks the URL or scans the QR code, TOTP registration is complete. The TOTP authenticator stores the seed in the client device in a secure manner.

Step 4: To complete the registration, a process of TOTP validation occurs (see the section below). Note: Some applications require two TOTP validations to complete registration.

TOTP validation

Here’s a simplified flow showing TOTP validation:

Fig: How TOTP validation works
Fig: How TOTP validation works

Step 1: The user begins the login process and successfully presents the first factor of authentication.

Step 2: The client generates a TOTP code using the seed and moving factor (Unix time). The seed used is the one created during the registration process. The client sends the TOTP code to the server.

Step 3: The server independently generates a TOTP code using the same seed and moving factor. The server then compares the two TOTP codes – the one it generated independently and the one it got from the client – to check if they match.

Step 4: If the two codes match, the user is successfully logged in.

Also read: Passwordless Authentication 101

TOTP vs related auth methods

TOTP exists alongside other auth methods that function similarly. Besides basic OTP, there are HOTPs and SMS-based auth. Here is an overview of how these methods compare at a glance:

TOTP

HOTP

SMS

Mechanics

Algorithms generate codes using a shared secret and Unix time

Algorithms generate codes that change incrementally

Login codes are sent to a secondary device via SMS message

Security

Strong, especially against brute force and theft attacks

Strong, with some vulnerability to brute force and theft

Decent; susceptible to MITM and SIM-swapping attacks

User-friendliness

Strong, with the caveat that users have to input codes

Very strong, with no need for user input

Strongest, with fast logins and minimal user effort

TOTP vs HOTP

One of the most common comparisons for TOTP is the similar-sounding HOTP. This is the original standard that TOTP was based on. The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Thus, HOTP stands for HMAC-based One-time Password. HOTP was documented by the Initiative for Open Authentication (OATH) as RFC 4226 back in 2005.

The main difference between HOTP and TOTP is how the moving factor is calculated.

In HOTP, the moving factor is a counter that’s incremented every time a new OTP is requested, then stored on both the token and the server. The counter on the token increments by one when a new OTP is requested. The server increments by one when an OTP is validated.

Fig: HOTP uses a counter as the moving factor
Fig: HOTP uses a counter as the moving factor

HOTP tends to be user-friendly since it doesn’t increment until the user requests a new OTP. This means the user has ample time to enter the OTP. However, this also makes HOTP more susceptible to brute force attacks when compared to TOTP.

TOTP is generally more secure than HOTP. However, the user has to input the passcode before it refreshes, which introduces the possibility of time drift. To cope with this, the authenticating server must make it easy for users to input a new OTP if the previous one expires.

TOTP 2FA vs SMS 2FA

Another common comparison for TOTP is SMS-based OTP, since both work for 2FA/MFA. SMS authentication lets users log in to applications by entering a code sent to their phone via text message. It verifies users with a possession-based factor (their mobile phone). Although SMS authentication is widely used, TOTP 2FA is considered the better option for a few reasons.

TOTP is safer than SMS since it’s a stronger proof of possession. SMS authentication is vulnerable to SIM swapping and man-in-the-middle (MITM) attacks, where adversaries can intercept text messages and gain fraudulent account access. In 2016, a NIST commentary on SP 800-63-3 proposed that SMS be deprecated as an out-of-band second authentication factor.

TOTP is also usable in a wider range of scenarios than SMS 2FA. As covered earlier, TOTP doesn’t depend on Internet connectivity, mobile carriers, or delivery rates. TOTP is one of the fastest 2FA methods and faster on average than SMS. Moreover, TOTP doesn’t require applications to collect user PII (Personally Identifiable Information, like phone numbers), making it viable for a larger pool of users, including discerning ones that are reluctant to share their phone numbers.

Benefits of using TOTP

TOTP is widely used because of how effective it is. A recent report on MFA spending found TOTP authenticators (58%) to be one of the most popular MFA form factors other than passwords.

Here are some advantages of using this authentication method:

  • Safer than just using passwords: TOTPs are meant for one-time use, which makes them resistant to replay attacks where the attacker intercepts and records data to use later. Using a TOTP as a second factor also reduces risk when user passwords get stolen.   

  • Primed for wide adoption: Users like TOTP mobile authenticators because no codes need to be remembered, and they don’t require new hardware. Mobile authenticators can be used for both enterprise and consumer contexts. Apps that support biometric auth add a strong second factor and protect users even if their device gets stolen.

  • Can work offline: Since the TOTP algorithm uses a shared secret key and Unix time as inputs, the server and client can independently generate and validate one-time codes without needing an Internet connection. This makes TOTP usable in a wide variety of scenarios, including when users are traveling globally or lack network connectivity.

Drawbacks of using TOTP

There is no authentication silver bullet, and that includes TOTP. If not used carefully, it can open up vulnerabilities or inconveniences. Here are some risks to keep in mind while using TOTP:

  • Shared secrets: The seeds used in TOTP generation are shared secrets, which is never an ideal security practice. They make the server an attractive target for attackers. If they steal the secrets, they can generate passcodes to fraudulently access user accounts. It’s important for the shared secret to be stored securely on both the client and server sides.

  • Device dependence: If a user’s device is stolen, lost, or broken, the TOTP authenticator will no longer function as intended. In these cases, the app must find other ways of authenticating the user before reissuing a TOTP authenticator. That said, the likelihood of lost or stolen devices is much lower than the likelihood of stolen or leaked passwords.

TOTP authentication with Descope

TOTP is one of the best approaches to auth for security and UX purposes. By algorithmically generating codes based on a shared secret and a specific unit of time, it streamlines logins and eliminates the need for users to create, memorize, and manage passwords. It improves on the already strong security of OTP with added protection against common cyberattack vectors.

Despite how easy it is for users, adding TOTP authentication to your app can be complex and time-consuming, shifting dev focus from other business-critical activities. Descope abstracts away the implementation details of TOTP authentication with a drag-and-drop workflow editor.

Sign up for a Free Forever account with Descope and add authenticator app functionality to your app with a few lines of code. Have questions about TOTP? Book time with our experts.

TOTP Flow
Drag-and-drop TOTP authentication with Descope

Liked what you saw?

Check out these posts next

OTPs Explained: OTP Meaning, Uses & Benefits

Read more

MFA Explained: Definition, How It Works & Benefits

Read more

What Is Passwordless Authentication & How It Works

Read more

OTPs Explained: OTP Meaning, Uses & Benefits

Read more

MFA Explained: Definition, How It Works & Benefits

Read more

What Is Passwordless Authentication & How It Works

Read more
Chat with Sales

Anonymously - no Slack account required

G2 Users Love UsLeave a Descope review

All systems operational

Copyright © Descope Inc. All rights reserved.