Time-Based One-Time Password (TOTP)
What is Time-Based One-Time Password (TOTP)?
Time-Based One-Time Password (TOTP)A one-time password algorithm defined in RFC 6238 that derives a short code from a shared secret and the current time, rotating every 30 seconds.
TOTP is a widely deployed second-factor mechanism in which the user's authenticator app (Google Authenticator, Authy, 1Password) and the server share a symmetric seed and compute the same HMAC-SHA1 hash over the current Unix time divided into 30-second windows. The visible 6-8 digit code changes automatically and is valid only briefly, which limits the value of shoulder-surfed or phished codes. TOTP works fully offline once the seed is provisioned, usually by scanning a QR code. Its main weaknesses are real-time phishing proxies (AiTM) that relay codes, malware on the device, and seed compromise on the server side; FIDO2 and passkeys are preferred where possible.
● Examples
- 01
Scanning a QR code into Google Authenticator to enable 2FA on a GitHub account.
- 02
Entering a 6-digit code from an authenticator app when logging in to a banking portal.
● Frequently asked questions
What is Time-Based One-Time Password (TOTP)?
A one-time password algorithm defined in RFC 6238 that derives a short code from a shared secret and the current time, rotating every 30 seconds. It belongs to the Identity & Access category of cybersecurity.
What does Time-Based One-Time Password (TOTP) mean?
A one-time password algorithm defined in RFC 6238 that derives a short code from a shared secret and the current time, rotating every 30 seconds.
How do you defend against Time-Based One-Time Password (TOTP)?
Defences for Time-Based One-Time Password (TOTP) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Time-Based One-Time Password (TOTP)?
Common alternative names include: RFC 6238, Time-based OTP.