What Is TOTP? How Time-Based One-Time Passwords Actually Work

Every time you open Google Authenticator and see a 6-digit code changing every 30 seconds, you're watching TOTP in action. Here's exactly how it works.

What TOTP Stands For

TOTP stands for Time-based One-Time Password. It's an open standard (RFC 6238) used by Google Authenticator, Authy, Microsoft Authenticator, and virtually every other 2FA app.

How TOTP Codes Are Generated

A TOTP code is calculated from two inputs:

1. A shared secret key — a random string given to you when you scan a QR code during 2FA setup
2. The current Unix timestamp — divided into 30-second windows

The algorithm combines these using HMAC-SHA1 to produce a 6-digit number. Because both your device and the server know the same secret and use the same clock, they independently produce the same code — without ever transmitting it over the network.

The Secret Key

The secret key is a Base32-encoded string — typically 16–32 characters like JBSWY3DPEHPK3PXP. It's what a QR code encodes. The key is established once, at setup, and never changes. It's the single most sensitive piece of information in your 2FA configuration — whoever has it can generate all your future codes.

Why TOTP Is Secure

• The code changes every 30 seconds — a stolen code is useless moments after capture
• The secret key never travels over the network — unlike SMS codes
• Works offline — no server contact needed to generate a code
• Open standard — independently reviewed and proven

Limitations of TOTP

• Phishable — a fake login page can capture your TOTP code and use it in real-time (unlike hardware keys)
• Time-dependent — if your device clock drifts, codes will be wrong
• Secret key must be stored securely — if your authenticator app backup is compromised, all 2FA tokens are compromised

The Mathematics Behind TOTP

TOTP is built on HMAC (Hash-based Message Authentication Code). The algorithm takes two inputs: your secret key and the current time interval (the number of 30-second periods since January 1, 1970, calculated as floor(Unix_timestamp / 30)). It feeds these into HMAC-SHA1, producing a hash. A portion of this hash is then extracted and converted to a 6-digit decimal number. The process is deterministic — the same secret key and the same time interval always produce the same code — which is why both your app and the server can independently generate identical codes.

Why Codes Change Every 30 Seconds

The 30-second window is a deliberate security design. A short enough window means a code intercepted by an attacker becomes useless very quickly. But it needs to be long enough to be practical — if codes expired after 5 seconds, users would constantly miss the window. The TOTP standard (RFC 6238) specifies 30 seconds as the default period, though some services use 60 seconds.

How the Server Verifies Your Code

When you enter a code at sign-in, the server runs the same TOTP calculation using the secret key it stored when you set up 2FA, and the current time on its end. If the result matches your input, authentication succeeds. To account for minor clock differences and network latency, most servers accept codes from one window before and after the current one — a 90-second total window. If your code is further out of sync than this, authentication fails even if your code was mathematically correct for your clock's current time.

TOTP vs HOTP

TOTP is derived from HOTP (HMAC-based One-Time Password, RFC 4226). The difference is the counter input: HOTP uses an incrementing counter (each code generated advances the counter), while TOTP uses the current time. TOTP is more commonly used today because time-based sync is simpler than counter synchronisation — there is no state to track between the client and server beyond the shared secret and a reliable clock.

What Happens When You Lose the Secret Key

The secret key is the seed for all code generation. If you delete your authenticator app entry without saving the key, and you do not have backup codes, you lose the ability to generate valid codes for that account. The service has no way to regenerate the same secret — they would need to give you a new one by resetting 2FA entirely, which usually requires identity verification. This is why some password managers offer to store both the password and the TOTP secret for an account together, ensuring you always have the seed available.