eastbaycyber

What Is TOTP?

Glossary 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

A time-based one-time password is a temporary code generated using:

TOTP, short for time-based one-time password, is a common MFA method that generates short-lived login codes from a shared secret and the current time. You usually see TOTP in an authenticator app, where a 6-digit code refreshes every 30 seconds or so and is entered after a username and password.

TOTP is widely used because it is simple, inexpensive, and works offline on the user’s device. For related background, see what is mfa and what is passkey.

How TOTP works

TOTP works by making the service and the user’s authenticator independently generate the same code at roughly the same time.

Enrollment creates a shared secret

When a user enables TOTP, the service creates a secret value and shares it with the user’s authenticator app. This is often done through:

  • A QR code
  • A manual setup key
  • In some cases, a hardware token setup process

Once that secret is stored, both the app and the service can generate matching one-time passwords.

The code is based on time

Unlike a static password, a TOTP code changes on a fixed schedule, usually every 30 seconds. The app combines the shared secret with the current time to create the code. The server performs the same calculation and checks whether the submitted value matches.

That means:

  • The code is temporary
  • Old codes expire quickly
  • The authenticator app does not need a mobile signal to generate the code

The user enters the code during login

A typical login flow looks like this:

  1. Enter username and password
  2. Get prompted for a second factor
  3. Open the authenticator app
  4. Enter the current TOTP code

This is why TOTP is often described as an extra proof that the user has access to the enrolled device or token.

Systems allow limited clock drift

Because TOTP depends on time, the device clock and server clock need to be reasonably close. Most systems allow a small tolerance window to avoid failures from minor timing differences.

If a phone’s time is badly out of sync, valid-looking codes may still fail.

Why TOTP is used

Organizations use TOTP because it offers a practical improvement over passwords alone.

Common benefits include:

  • Works across many apps and services
  • Does not rely on SMS delivery
  • Works offline once enrolled
  • Easy to deploy for businesses and consumers
  • Reduces the value of stolen passwords

For many teams, TOTP is the first realistic step from no MFA to stronger identity security.

Where you’ll encounter TOTP

You are likely to encounter TOTP in:

  • Cloud app logins
  • VPN and remote access portals
  • Admin dashboards
  • Password managers
  • Email and social media accounts
  • Small business identity rollouts

TOTP is especially common when organizations want MFA without issuing dedicated hardware tokens to every user. For users managing many credentials, a password manager like Try 1Password → can also help reduce password reuse and strengthen the first factor that TOTP builds on.

TOTP vs SMS codes

TOTP and SMS both provide one-time codes, but they work differently.

TOTP

  • Generated locally in an authenticator app
  • Does not require cell service at login time
  • Less exposed to SIM-swap risk than SMS
  • Usually preferred over text-message MFA

SMS

  • Delivered over the phone network
  • More convenient for some users initially
  • More dependent on carrier reliability
  • Weaker against some account takeover techniques

TOTP is generally considered a better baseline than SMS, even though neither is as phishing-resistant as modern passkey-based methods.

TOTP vs HOTP

HOTP stands for HMAC-based one-time password. It is related to TOTP, but the code changes based on a counter rather than time.

In simple terms:

  • TOTP changes with time
  • HOTP changes with each use or counter increment

TOTP is more common in modern MFA deployments because the user experience is simpler and better suited to everyday logins.

TOTP vs passkeys

TOTP is useful, but it is not the strongest authentication option available.

TOTP strengths

  • Broad support
  • Easy setup
  • Works with many existing systems
  • Stronger than password-only login

TOTP limitations

  • Can be captured by real-time phishing kits
  • Can be stolen if the endpoint or phone is compromised
  • Still depends on the user entering a code into a login flow

Passkeys strengths

  • Based on public-key cryptography
  • Designed to be phishing-resistant
  • Better fit for higher-assurance authentication

That is why many organizations treat TOTP as a strong baseline and passkeys or hardware security keys as the stronger long-term direction for sensitive accounts.

TOTP security limitations

TOTP improves account security, but it does not stop every attack.

Important limitations include:

  • Real-time phishing can steal and reuse a valid code before it expires
  • Malware on the user’s device may expose secrets or sessions
  • Weak recovery processes can undermine strong MFA
  • Backup codes must be stored securely

For high-risk accounts, stronger authentication and endpoint protection matter too. On personal devices, tools such as Get Malwarebytes → may help reduce exposure to commodity malware that could otherwise threaten sessions or stored credentials.

Best practices for using TOTP

If you use TOTP, a few habits make it more effective:

  • Enable it on important accounts first
  • Save backup codes securely
  • Keep your device time synchronized
  • Protect the primary password with a unique value
  • Prefer an authenticator app over SMS when possible
  • Use passkeys or hardware-backed MFA for the highest-risk accounts where supported

Final takeaway

TOTP is a time-based one-time password used as a second login factor in MFA. It works by generating short-lived codes from a shared secret and the current time, usually inside an authenticator app. That makes it a practical and widely supported way to strengthen logins beyond a password alone.

It is not phishing-proof, but it is still a meaningful upgrade over password-only authentication and a better baseline than SMS for many users and organizations.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.