What is TOTP?

A TOTP (Time-Based One-Time Password) is a short numeric code that changes every 30 seconds or so and is used to prove you are who you say you are when logging into an online service. It is generated on your phone or another device, not sent over the internet, so it stays private.

Let's break it down

  • Time-Based: The code is linked to the current clock time, so it only works for a short window.
  • One-Time: Each code can be used only once; after it expires it is useless.
  • Password: It acts like a secret word or number that proves your identity.
  • Algorithm: A set of math steps (usually HMAC-SHA1) that turn a secret key and the current time into a 6-digit number.
  • Shared secret: A random string that both the service and your device know; it is the seed for generating the codes.
  • Time step: The fixed period (commonly 30 seconds) after which a new code is produced.

Why does it matter?

TOTP adds a second layer of security beyond just a password, making it much harder for attackers to break into your accounts even if they steal your password. Because the code changes constantly and is generated locally, it protects you from phishing, keyloggers, and many remote attacks.

Where is it used?

  • Mobile authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy.
  • Online banking and payment platforms that require a verification code for transactions.
  • Corporate VPNs and remote-desktop services that demand two-factor login.
  • Cloud services like AWS, GitHub, and Dropbox that offer TOTP as an optional security setting.

Good things about it

  • Strong security without needing extra hardware tokens.
  • Works offline; no internet connection is required to generate the code.
  • Widely supported by many services and apps.
  • Short, easy-to-type numbers that are user-friendly.
  • Time-limited codes reduce the window for misuse.

Not-so-good things

  • Requires the device’s clock to be accurate; large time drift can cause login failures.
  • If you lose the device that holds the secret, you may be locked out unless you have backup codes.
  • Setting up and backing up the shared secret can be confusing for non-technical users.
  • Some sophisticated phishing attacks can trick users into entering the current TOTP on a fake site.