What Is TOTP?
A time-based one-time password is a temporary code generated using:
TOTP, short for time-based one-time password, is a common MFA method that generates short-lived login codes from a shared secret and the current time. You usually see TOTP in an authenticator app, where a 6-digit code refreshes every 30 seconds or so and is entered after a username and password.
TOTP is widely used because it is simple, inexpensive, and works offline on the user’s device. For related background, see what is mfa and what is passkey.
How TOTP works
TOTP works by making the service and the user’s authenticator independently generate the same code at roughly the same time.
Enrollment creates a shared secret
When a user enables TOTP, the service creates a secret value and shares it with the user’s authenticator app. This is often done through:
- A QR code
- A manual setup key
- In some cases, a hardware token setup process
Once that secret is stored, both the app and the service can generate matching one-time passwords.
The code is based on time
Unlike a static password, a TOTP code changes on a fixed schedule, usually every 30 seconds. The app combines the shared secret with the current time to create the code. The server performs the same calculation and checks whether the submitted value matches.
That means:
- The code is temporary
- Old codes expire quickly
- The authenticator app does not need a mobile signal to generate the code
The user enters the code during login
A typical login flow looks like this:
- Enter username and password
- Get prompted for a second factor
- Open the authenticator app
- Enter the current TOTP code
This is why TOTP is often described as an extra proof that the user has access to the enrolled device or token.
Systems allow limited clock drift
Because TOTP depends on time, the device clock and server clock need to be reasonably close. Most systems allow a small tolerance window to avoid failures from minor timing differences.
If a phone’s time is badly out of sync, valid-looking codes may still fail.
Why TOTP is used
Organizations use TOTP because it offers a practical improvement over passwords alone.
Common benefits include:
- Works across many apps and services
- Does not rely on SMS delivery
- Works offline once enrolled
- Easy to deploy for businesses and consumers
- Reduces the value of stolen passwords
For many teams, TOTP is the first realistic step from no MFA to stronger identity security.
Where you’ll encounter TOTP
You are likely to encounter TOTP in:
- Cloud app logins
- VPN and remote access portals
- Admin dashboards
- Password managers
- Email and social media accounts
- Small business identity rollouts
TOTP is especially common when organizations want MFA without issuing dedicated hardware tokens to every user. For users managing many credentials, a password manager like Try 1Password → can also help reduce password reuse and strengthen the first factor that TOTP builds on.
TOTP vs SMS codes
TOTP and SMS both provide one-time codes, but they work differently.
TOTP
- Generated locally in an authenticator app
- Does not require cell service at login time
- Less exposed to SIM-swap risk than SMS
- Usually preferred over text-message MFA
SMS
- Delivered over the phone network
- More convenient for some users initially
- More dependent on carrier reliability
- Weaker against some account takeover techniques
TOTP is generally considered a better baseline than SMS, even though neither is as phishing-resistant as modern passkey-based methods.
TOTP vs HOTP
HOTP stands for HMAC-based one-time password. It is related to TOTP, but the code changes based on a counter rather than time.
In simple terms:
- TOTP changes with time
- HOTP changes with each use or counter increment
TOTP is more common in modern MFA deployments because the user experience is simpler and better suited to everyday logins.
TOTP vs passkeys
TOTP is useful, but it is not the strongest authentication option available.
TOTP strengths
- Broad support
- Easy setup
- Works with many existing systems
- Stronger than password-only login
TOTP limitations
- Can be captured by real-time phishing kits
- Can be stolen if the endpoint or phone is compromised
- Still depends on the user entering a code into a login flow
Passkeys strengths
- Based on public-key cryptography
- Designed to be phishing-resistant
- Better fit for higher-assurance authentication
That is why many organizations treat TOTP as a strong baseline and passkeys or hardware security keys as the stronger long-term direction for sensitive accounts.
TOTP security limitations
TOTP improves account security, but it does not stop every attack.
Important limitations include:
- Real-time phishing can steal and reuse a valid code before it expires
- Malware on the user’s device may expose secrets or sessions
- Weak recovery processes can undermine strong MFA
- Backup codes must be stored securely
For high-risk accounts, stronger authentication and endpoint protection matter too. On personal devices, tools such as Get Malwarebytes → may help reduce exposure to commodity malware that could otherwise threaten sessions or stored credentials.
Best practices for using TOTP
If you use TOTP, a few habits make it more effective:
- Enable it on important accounts first
- Save backup codes securely
- Keep your device time synchronized
- Protect the primary password with a unique value
- Prefer an authenticator app over SMS when possible
- Use passkeys or hardware-backed MFA for the highest-risk accounts where supported
Final takeaway
TOTP is a time-based one-time password used as a second login factor in MFA. It works by generating short-lived codes from a shared secret and the current time, usually inside an authenticator app. That makes it a practical and widely supported way to strengthen logins beyond a password alone.
It is not phishing-proof, but it is still a meaningful upgrade over password-only authentication and a better baseline than SMS for many users and organizations.