Security

What is a Time-based One-time Password (TOTP)?

A Time-Based One-Time Password (TOTP) is a temporary, unique code generated using the current time as part of the process. It’s widely used for two-factor authentication (2FA) to add an extra layer of security to online accounts.

Why is TOTP important for security?

In an era where cyberattacks are common, relying on just a username and password isn’t enough. TOTPs boost security by ensuring that even if someone steals your password, they still need the temporary code, which expires after a short time, to gain access. This makes unauthorized logins far more difficult.

How does a TOTP work?

TOTP-based 2FA relies on two key factors: something you know (your password) and something you have (a device generating the TOTP). For example, when you log in to a service with your username and password, you’ll be prompted to enter a time-sensitive code from an authenticator app or another source. This ensures that only someone with access to your trusted device can complete the login.

The passcodes typically refresh every 30, 60, 120, or 240 seconds, making them useless to hackers after they expire.

How to get a TOTP?

Users can receive TOTPs through different methods, including:

  • Authenticator apps — Popular options include Google Authenticator, Microsoft Authenticator, and Authy.
  • Password managers such as Passwd have a built-in TOTP support.
  • Hardware security tokens — Small physical devices that display your unique, time-sensitive code.
  • Text messages (SMS) — Sent to your phone from a secure server.
  • Email messages — Delivered to your registered email account.
  • Voice calls — A spoken code sent via automated call.

While SMS and email are convenient, authenticator apps and hardware tokens are generally considered more secure, as they don’t rely on external servers that could be compromised.

Time-Based vs. Event-Based OTPs: What’s the difference?

The key distinction lies in how the passwords are generated:

  • Time-Based One-Time Passwords (TOTP) — Use the current time and a shared secret (a unique key) to generate a temporary code.
  • Event-Based One-Time Passwords (HOTP) — Generate a new code based on a counter, triggered by an event like a button press. Each new code depends on the previous one.

Since TOTPs rely on time, they expire quickly, making them more secure against replay attacks.

TOTP: An industry-approved standard

TOTP is an official standard defined by the Internet Engineering Task Force (IETF) under RFC 6238. Other well-known OTP standards include the S/KEY One-Time Password System (RFC 1760), One-Time Password System (RFC 2289), and the HMAC-Based One-Time Password Algorithm (RFC 4226).

Final thoughts

In today’s digital landscape, protecting online accounts is non-negotiable. Implementing TOTP-based two-factor authentication is a simple yet powerful way to safeguard your data from unauthorized access. Whether you prefer a mobile authenticator app, hardware token or a password manager such as Passwd, adding this extra layer of security helps keep hackers at bay.

Looking to boost your cybersecurity? Start by enabling TOTP-based 2FA on your accounts today.