Education

What Is TOTP? How Time-Based One-Time Passwords Actually Work

2026-01-03 ยท 6 min read ยท Steven Adams ยท Last reviewed: March 2026

Every time you open Google Authenticator and see a 6-digit code changing every 30 seconds, you're watching TOTP in action. Here's exactly how it works.

In This Guide

  1. What TOTP Stands For
  2. How TOTP Codes Are Generated
  3. The Secret Key
  4. Why TOTP Is Secure
  5. Limitations of TOTP

What TOTP Stands For

TOTP stands for Time-based One-Time Password. It's an open standard (RFC 6238) used by Google Authenticator, Authy, Microsoft Authenticator, and virtually every other 2FA app.

How TOTP Codes Are Generated

A TOTP code is calculated from two inputs:

  1. A shared secret key โ€” a random string given to you when you scan a QR code during 2FA setup
  2. The current Unix timestamp โ€” divided into 30-second windows

The algorithm combines these using HMAC-SHA1 to produce a 6-digit number. Because both your device and the server know the same secret and use the same clock, they independently produce the same code โ€” without ever transmitting it over the network.

The Secret Key

The secret key is a Base32-encoded string โ€” typically 16โ€“32 characters like JBSWY3DPEHPK3PXP. It's what a QR code encodes. The key is established once, at setup, and never changes. It's the single most sensitive piece of information in your 2FA configuration โ€” whoever has it can generate all your future codes.

You can paste a TOTP secret key directly into 2faco.com to generate codes in your browser โ€” the key never leaves your device.

Why TOTP Is Secure

  • The code changes every 30 seconds โ€” a stolen code is useless moments after capture
  • The secret key never travels over the network โ€” unlike SMS codes
  • Works offline โ€” no server contact needed to generate a code
  • Open standard โ€” independently reviewed and proven

Limitations of TOTP

  • Phishable โ€” a fake login page can capture your TOTP code and use it in real-time (unlike hardware keys)
  • Time-dependent โ€” if your device clock drifts, codes will be wrong
  • Secret key must be stored securely โ€” if your authenticator app backup is compromised, all 2FA tokens are compromised

The Mathematics Behind TOTP

TOTP is built on HMAC (Hash-based Message Authentication Code). The algorithm takes two inputs: your secret key and the current time interval (the number of 30-second periods since January 1, 1970, calculated as floor(Unix_timestamp / 30)). It feeds these into HMAC-SHA1, producing a hash. A portion of this hash is then extracted and converted to a 6-digit decimal number. The process is deterministic โ€” the same secret key and the same time interval always produce the same code โ€” which is why both your app and the server can independently generate identical codes.

Why Codes Change Every 30 Seconds

The 30-second window is a deliberate security design. A short enough window means a code intercepted by an attacker becomes useless very quickly. But it needs to be long enough to be practical โ€” if codes expired after 5 seconds, users would constantly miss the window. The TOTP standard (RFC 6238) specifies 30 seconds as the default period, though some services use 60 seconds.

How the Server Verifies Your Code

When you enter a code at sign-in, the server runs the same TOTP calculation using the secret key it stored when you set up 2FA, and the current time on its end. If the result matches your input, authentication succeeds. To account for minor clock differences and network latency, most servers accept codes from one window before and after the current one โ€” a 90-second total window. If your code is further out of sync than this, authentication fails even if your code was mathematically correct for your clock's current time.

TOTP vs HOTP

TOTP is derived from HOTP (HMAC-based One-Time Password, RFC 4226). The difference is the counter input: HOTP uses an incrementing counter (each code generated advances the counter), while TOTP uses the current time. TOTP is more commonly used today because time-based sync is simpler than counter synchronisation โ€” there is no state to track between the client and server beyond the shared secret and a reliable clock.

What Happens When You Lose the Secret Key

The secret key is the seed for all code generation. If you delete your authenticator app entry without saving the key, and you do not have backup codes, you lose the ability to generate valid codes for that account. The service has no way to regenerate the same secret โ€” they would need to give you a new one by resetting 2FA entirely, which usually requires identity verification. This is why some password managers offer to store both the password and the TOTP secret for an account together, ensuring you always have the seed available.

Related Articles

Education

SMS vs Authenticator App: Which Is Safer?

See why TOTP is better than SMS.

Read โ†’
Education

2FA Codes Out of Sync โ€” How to Fix

Time sync issues explained.

Read โ†’
Education

What Is 2FA?

The basics of two-factor authentication.

Read โ†’
Education

What Is a Unix Timestamp?

How epoch time powers TOTP codes.

Read โ†’
Guide

How to Implement TOTP 2FA

Step-by-step for developers.

Read โ†’

TOTP in Plain English

TOTP stands for Time-based One-Time Password. It is the technology behind the 6-digit codes that authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator generate. "Time-based" means each code is only valid for a specific time window (typically 30 seconds). "One-time" means each code can only be used once โ€” the server marks it as used after verification to prevent replay attacks. Together, these properties create a second authentication factor that is both easy for users and extremely difficult for attackers.

TOTP is an open standard defined in RFC 6238, built on top of HOTP (HMAC-based One-Time Password, RFC 4226). Because it is an open standard, any compliant authenticator app works with any service that supports TOTP โ€” you are not locked into any single vendor's ecosystem.

How TOTP Codes Are Calculated

A TOTP code is calculated using two inputs: your secret key (a random string shared between you and the service during 2FA setup) and the current time (specifically, the number of 30-second intervals since 1 January 1970 UTC, called the "time step"). These two values are fed into an HMAC-SHA1 or HMAC-SHA256 function, and the output is truncated to produce a 6-digit code. Because both your authenticator app and the service's server perform the same calculation at the same time using the same secret key, they arrive at the same 6-digit code โ€” which is how the server verifies you are in possession of the correct key.

Why TOTP Is More Secure Than SMS Codes

SMS codes travel over the phone network and can be intercepted through SIM swapping or SS7 vulnerabilities. TOTP codes are calculated entirely on your device and never transmitted anywhere โ€” you generate the code locally and type it into a form. There is nothing to intercept. TOTP codes are also time-limited (invalid after 30โ€“90 seconds) and bound to a specific secret key that only you and the service know. The combination of these properties makes TOTP far more resistant to the attacks that compromise SMS-based 2FA.

Frequently Asked Questions

What is the difference between TOTP and HOTP? HOTP (HMAC-based One-Time Password) generates codes based on a counter that increments with each use, rather than time. TOTP is a time-based extension of HOTP that uses the current time as the counter. TOTP is more widely used because it does not require synchronising a counter between the client and server โ€” both just need to agree on the current time.

Does TOTP work without an internet connection? Yes โ€” TOTP codes are generated entirely offline using your device's local clock and the stored secret key. No internet connection is required. This makes TOTP more reliable than SMS 2FA, which requires your phone to have network service.

Can two different authenticator apps generate the same TOTP code for the same account? Yes โ€” if two apps have the same secret key for an account, they will generate identical codes at the same time. This is because the TOTP algorithm is deterministic. You can enroll the same account in multiple apps simultaneously by scanning the same QR code into each โ€” useful for redundancy.