IDSync — identity software buyer platform
Run Stack Finder

Multi-Factor Authentication

TOTP (Time-Based One-Time Password)

TOTP is the algorithm behind authenticator-app codes (Google Authenticator, Authy, 1Password) — a 6-digit code that changes every 30 seconds, derived from a shared secret and the current time.

Last reviewed 5/30/2026

Key points

  • Defined in RFC 6238
  • Shared secret + current timestamp → 6-digit code
  • Works offline; no SMS dependency
  • Vulnerable to real-time phishing (attacker-in-the-middle)
  • Acceptable second factor but no longer phishing-resistant by NIST/CISA standards

What it is

TOTP (Time-Based One-Time Password, RFC 6238) is the algorithm that powers authenticator apps. When you scan a QR code at setup, you're sharing a secret seed; the app combines that seed with the current 30-second time window to produce a 6-digit code.

How it works

code = HMAC-SHA1(secret, floor(unixtime / 30)) truncated to 6 digits. Server and client compute the same value independently — no network needed at sign-in time.

When buyers care

  • Replacing SMS as a second factor (TOTP is stronger than SMS)
  • Adding MFA quickly without rolling out hardware keys
  • Backup factor when passkeys aren't available

Common misconceptions

  • TOTP is not phishing-resistant. An attacker phishing your password can ask for the TOTP in real time and replay it.
  • TOTP secrets need backup. Losing the phone without backup locks the user out — plan recovery flows.

FAQ

Is TOTP good enough in 2026?

For low-to-medium risk it's acceptable. For admin, financial, or regulated workloads, prefer phishing-resistant factors: passkeys, WebAuthn, hardware keys.

TOTP vs HOTP?

HOTP (RFC 4226) is counter-based; TOTP is time-based. TOTP is the dominant modern variant.