What is Time-Based One-Time Password (TOTP)?
A two-factor authentication method that generates temporary codes based on the current time and a shared secret, used by apps like Google Authenticator.
TOTP generates a new 6-digit code every 30 seconds using a shared secret and the current time.
How It Works
- During setup, the server generates a secret key (shared via QR code)
- Your authenticator app stores this secret
- Both the app and server independently compute: HMAC(secret, time/30)
- The resulting codes match because both sides have the same secret and time
Advantages Over SMS
- Works offline — no cell signal needed
- Not vulnerable to SIM swapping attacks
- Not vulnerable to SS7 network attacks
- Faster than waiting for a text message
Recommended Apps
- Aegis (Android, open source)
- Raivo (iOS, open source)
- KeePassXC (desktop, integrated with password manager)
- Avoid Google Authenticator — no encrypted backup until recently
Backup
Always save the setup QR code or secret key during enrollment. If you lose your phone without a backup, you'll be locked out of your accounts.
Related Terms
Security Key
A physical hardware device used for two-factor authentication that provides phishing-resistant proof of identity. Security keys use cryptographic protocols (FIDO2/WebAuthn) that verify both the user and the website, preventing credential theft.
Two-Factor Authentication
A security method requiring two different types of identification to access an account: something you know (password) plus something you have (phone, hardware key) or something you are (biometric). This significantly reduces the risk of unauthorized access even if your password is compromised.
Have more questions?
Use our guided flow to get the right next privacy step for Time-Based One-Time Password (TOTP).
Open Guided Flow