Glossary>Time-Based One-Time Password (TOTP)

Time-Based One-Time Password (TOTP)

A Time-Based One-Time Password (TOTP) is a temporary, time-synchronized code generated by a shared secret and used as a second authentication factor.

TOTP is defined in IETF RFC 6238 and is the most widely deployed software-based second factor, used by billions of accounts across Google, Facebook, GitHub, and enterprise systems.The FIDO Alliance and NIST SP 800-63B recognize TOTP as an approved single-factor OTP authenticator at AAL2 when paired with a memorized secret.Over 60% of enterprise identity platforms offer TOTP as a core MFA factor, with authenticator app adoption growing 35% year-over-year as SMS OTP is phased out due to SIM-swap risks.

What is Time-Based One-Time Password (TOTP)?

What is Time-Based One-Time Password (TOTP)?

A Time-Based One-Time Password (TOTP) is a temporary authentication code that is generated using a shared secret key and the current time. Defined in IETF RFC 6238, TOTP codes typically expire after a short window (commonly 30 seconds) and are generated by an authenticator app on the user's device — such as Google Authenticator, Microsoft Authenticator, Authy, or LoginRadius Authenticator.

The code is derived by combining a pre-shared secret (established during enrollment) with the current Unix time divided into fixed time steps. Both the server and the user's device independently compute the same code using the HMAC-SHA1 algorithm (or SHA256/SHA512 as defined in RFC 6238). Because the code is generated on-device and never transmitted over a network, TOTP is inherently resistant to interception, SIM-swap attacks, and phishing compared to SMS-based OTPs.

To set up TOTP, a user typically scans a QR code (which encodes the secret key) with their authenticator app. The app then generates 6-8 digit codes that change every 30 seconds. During login, after entering their primary credentials, the user opens the authenticator app and enters the current code. The server validates it by computing the expected code and comparing — accounting for a small clock drift tolerance (typically ±1 time step).

Analogy

TOTP is like a synchronized safe-deposit box that automatically generates a new combination every 30 seconds. Both you and the bank have the same master seed programmed into your respective boxes, so the combination changes in perfect sync. Even if someone saw today's combination, it would be useless 31 seconds later.

Types and Use Cases

  • Two-Factor Authentication (2FA): TOTP is the most common second factor for consumer and enterprise accounts — users enter their password then a 6-digit code from an authenticator app.
  • Passwordless Login: Some platforms allow TOTP as a primary authentication method where the time-based code replaces the password entirely on trusted devices.
  • Transaction Signing: Banks and financial apps use TOTP codes — sometimes derived from transaction-specific data — to verify high-value transfers or sensitive account changes.
  • Backup Authentication: TOTP codes serve as robust backup codes for account recovery when primary MFA methods (like push notifications or hardware keys) are unavailable.

How it Works

1
The user enables TOTP in their account security settings. The server generates a random secret key and displays it as a QR code.
2
The user scans the QR code with their authenticator app. The app stores the secret and begins generating codes synchronized to the server's time.
3
The user verifies enrollment by entering the current code from the app. The server computes the expected code using the same secret and time step and confirms the match.
4
On subsequent logins, the user enters their primary credentials, then opens the authenticator app and enters the displayed TOTP code.
5
The server computes the expected TOTP for the current and adjacent time windows (to account for slight clock drift) and validates the user's entry.
terminal
{
  "totpGeneration": {
    "algorithm": "HMAC-SHA1",
    "digits": 6,
    "timeStep": 30,
    "secret": "JBSWY3DPEHPK3PXP",
    "currentTime": 1717500000,
    "timeCounter": Math.floor(1717500000 / 30),
    "otp": hmac_sha1(secret, timeCounter).truncate(6)
  },
  "validation": {
    "userProvidedCode": "482935",
    "computedCodes": {
      "previousStep": "173846",
      "currentStep": "482935",
      "nextStep": "920174"
    },
    "match": true
  }
}

Time-Based One-Time Password (TOTP) vs HMAC-based One-time Password (HOTP)

Time-Based One-Time Password (TOTP)
HMAC-based One-time Password (HOTP)

TOTP uses the current time as a moving factor so codes change every 30 seconds regardless of use

HOTP uses a counter that increments only after each successful authentication, meaning codes remain valid until used.

TOTP is time-synchronized and requires the server and client clocks to be loosely in sync

HOTP has no time dependency — making it suitable for offline devices or environments with unreliable clocks.

TOTP users must wait for the next time window if they miss entering the code in time

HOTP codes stay valid until the counter advances — but HOTP requires the server to maintain and synchronize the counter, which can drift out of sync if codes are generated but not used.

Best Practices for Time-Based One-Time Password (TOTP)

  • Encourage users to use authenticator apps rather than SMS-based OTP, since TOTP codes are generated locally and immune to SIM-swap attacks.
  • Allow a clock drift tolerance of ±1 time step (30 seconds) to accommodate minor device clock skew without compromising security.
  • Provide backup codes or alternative MFA methods (e.g., recovery codes, push notifications) in case the user loses access to their authenticator app.
  • Support both TOTP and HOTP in your MFA framework so users with authenticators that don't support time-sync (some older hardware tokens) can still enroll.

How LoginRadius Powers Time-Based One-Time Password (TOTP)

LoginRadius supports TOTP as a core MFA factor in its CIAM platform. Users can enroll via the LoginRadius Authenticator app or any standards-compliant TOTP app (Google Authenticator, Authy, etc.). The Admin Console provides granular controls to enforce TOTP enrollment for specific user groups, applications, or risk levels. LoginRadius also handles TOTP recovery through backup codes and alternative MFA fallback methods.

Resources

Documentation

View Security Docs

Blog

What Is TOTP Authentication

FAQs

Yes. TOTP is significantly more secure than SMS OTP because the code is generated on the user's device and never transmitted over a network. SMS OTPs are vulnerable to SIM-swap attacks, SS7 protocol interception, and phishing. TOTP also works offline — no cellular or internet connection is required to generate the code. The FIDO Alliance and NIST both recommend TOTP or hardware authenticators over SMS for stronger authentication.

TOTP relies on accurate time synchronization. If the device clock is off by more than the allowed drift (typically ±30 seconds), the generated codes won't match the server's expectation. Most authenticator apps sync time with the device's network time automatically, so this is rare. If you experience persistent code mismatches, you can resync your device's clock via your OS time settings or re-enroll by scanning a new QR code.

LoginRadius provides TOTP as a built-in MFA factor through the LoginRadius Authenticator app and standard third-party authenticator apps. The Admin Console allows administrators to enable or require TOTP for login, password reset, and high-risk transactions. LoginRadius supports RFC 6238-compliant TOTP with configurable time steps and digit lengths, and offers self-service enrollment and recovery flows through the user dashboard.

Related Terms

otpmfa multifactor authenticationsms otp

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales