Time-Based One-Time Password (TOTP)

Also known as: RFC 6238, Time-based OTP

A one-time password algorithm defined in RFC 6238 that derives a short code from a shared secret and the current time, rotating every 30 seconds.

TOTP is a widely deployed second-factor mechanism in which the user's authenticator app (Google Authenticator, Authy, 1Password) and the server share a symmetric seed and compute the same HMAC-SHA1 hash over the current Unix time divided into 30-second windows. The visible 6-8 digit code changes automatically and is valid only briefly, which limits the value of shoulder-surfed or phished codes. TOTP works fully offline once the seed is provisioned, usually by scanning a QR code. Its main weaknesses are real-time phishing proxies (AiTM) that relay codes, malware on the device, and seed compromise on the server side; FIDO2 and passkeys are preferred where possible.

Examples

Scanning a QR code into Google Authenticator to enable 2FA on a GitHub account.
Entering a 6-digit code from an authenticator app when logging in to a banking portal.

Time-Based One-Time Password (TOTP)

Examples

Related terms

One-Time Password (OTP)

HMAC-Based One-Time Password (HOTP)

Multi-Factor Authentication (MFA)

Two-Factor Authentication (2FA)

FIDO2

Passkey

Definition

Examples

Related terms

One-Time Password (OTP)

HMAC-Based One-Time Password (HOTP)

Multi-Factor Authentication (MFA)

Two-Factor Authentication (2FA)

FIDO2

Passkey