Question 1

What is TOTP and how does it work?

Accepted Answer

TOTP (Time-based One-Time Password) is defined in RFC 6238 and is the standard behind most authenticator apps (Google Authenticator, Authy, Microsoft Authenticator). It works by combining a shared secret key (stored in both your authenticator and the server) with the current Unix timestamp divided into 30-second intervals (T = floor(unix_time / 30)). The OTP is computed as: TOTP = HOTP(secret, T) where HOTP (RFC 4226) is an HMAC-SHA1 based algorithm. The last 6 (or 8) digits of the truncated HMAC are the displayed code. Both sides compute independently — if clocks are in sync and the secret matches, the codes match.

Question 2

Why do TOTP codes expire every 30 seconds?

Accepted Answer

The 30-second window is a design choice balancing security and usability. Shorter windows (e.g., 10 seconds) leave too little time for a user to type the code, especially across time zones. Longer windows (e.g., 60 seconds) extend the window an intercepted code remains usable. RFC 6238 specifies 30 seconds as the recommended default. Servers typically accept codes from the previous, current, and next interval (±1 step, or ±30 seconds) to accommodate minor clock drift between devices. A 30-second intercepted TOTP code can only be used within that same window, making it near-useless for attackers.

Question 3

What is the difference between TOTP and HOTP?

Accepted Answer

HOTP (RFC 4226) is counter-based: a shared counter that increments with each use. The client and server must stay in sync. If a code is generated but never used, the counter gets out of sync. TOTP (RFC 6238) is time-based: replaces the counter with the current time divided into steps, so it self-synchronizes as long as both devices have accurate clocks. TOTP is more widely deployed because it self-resets every 30 seconds and doesn't require counter synchronization. HOTP is occasionally used in hardware tokens where clock drift is a concern.

Question 4

Is TOTP considered secure for two-factor authentication?

Accepted Answer

TOTP is significantly stronger than SMS-based 2FA (which is vulnerable to SIM-swapping and SS7 attacks) and provides real-time second-factor validation. However, TOTP has known weaknesses: it is vulnerable to real-time phishing (attacker intercepts code during 30-second window), does not protect against session hijacking after login, and if the shared secret is leaked (e.g., via server breach), all codes are compromised. For highest security, consider FIDO2/WebAuthn hardware keys (e.g., YubiKey) which are phishing-resistant and tied to the specific domain.

Question 5

What happens if I lose access to my TOTP authenticator?

Accepted Answer

If you lose your TOTP device without backup, you are locked out of any account where TOTP was the only 2FA method. Best practices to avoid this: (1) Save the QR code or secret key in a secure password manager when setting up TOTP — this allows restoring to a new device. (2) Save backup/recovery codes provided by most services during TOTP enrollment — store them offline or in a password manager. (3) Register multiple authenticator devices if the service supports it. (4) Use an authenticator that supports encrypted cloud backup (Authy, Google Authenticator with Google account sync, 1Password, Bitwarden). Never store TOTP secrets in unencrypted plain text files.

TOTP Code Generator

Frequently Asked Questions

Code Implementation

Comments & Feedback