Security

How Time-Based One-Time Passwords Work | 2FA Fast

By · · Updated June 11, 2026

What Is TOTP?

TOTP stands for Time-Based One-Time Password. It's the algorithm that powers every authenticator app — Google Authenticator, Authy, Microsoft Authenticator, and hundreds more. When you see a 6-digit code that changes every 30 seconds on your phone, that's TOTP in action.

TOTP is defined in RFC 6238 and builds on top of HOTP (HMAC-based One-Time Password, RFC 4226). It's an open standard — any app that follows the specification is interoperable with any service that uses TOTP.

How TOTP Works — Step by Step

TOTP is elegant in its simplicity. It requires only two inputs:

  • A shared secret — a random Base32-encoded string (e.g. JBSWY3DPEHPK3PXP) created when you scan a QR code
  • The current time — divided into 30-second windows called "time steps"

The Algorithm

  1. Calculate the time counter: divide the current Unix timestamp by 30 (e.g. Unix time 1700000000 ÷ 30 = 56666666)
  2. Compute HMAC-SHA1: run HMAC-SHA1 using the shared secret as the key and the counter as the message
  3. Dynamic truncation: extract 4 bytes from the 20-byte HMAC result at a position determined by the last byte
  4. Modulo: take the result modulo 10⁶ to get a 6-digit number

Both your phone and the server run this exact same calculation independently. If their clocks are in sync (within ~30 seconds), they produce the same code — proving you have the secret without ever transmitting it.

Why TOTP Is Secure

  • Each code is valid for only 30 seconds. A code intercepted in transit is useless almost immediately.
  • The secret never leaves your device. Unlike SMS, nothing is sent over a network that can be intercepted.
  • HMAC-SHA1 is computationally one-way. You cannot reverse-engineer the secret from a code.
  • Works offline. No internet connection required — just a shared secret and an accurate clock.
  • Open standard. Widely audited and battle-tested since 2011.

TOTP vs HOTP: What's the Difference?

Feature TOTP (Time-based) HOTP (Counter-based)
Code changes Every 30 seconds After each use
Replay attack risk Very low (30s window) Higher (code valid until used)
Requires clock sync Yes No
Use case Authenticator apps Hardware tokens

TOTP is preferred for software authenticators because the 30-second window provides excellent security without counter synchronisation complexity.

The TOTP Secret Key

The secret key is the foundation of TOTP security. It's typically:

  • 16–32 characters long
  • Encoded in Base32 (uppercase A–Z and 2–7) to avoid ambiguous characters
  • Shared once during setup via QR code or manual entry
  • Never transmitted again after initial setup

You can generate a cryptographically secure TOTP secret using our free 2FA Secret Generator — it uses the Web Crypto API so the secret never touches our servers.

The QR Code Connection

When you scan a QR code to add an account to your authenticator app, the QR code encodes a URI in this format:

otpauth://totp/Example:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA1&digits=6&period=30

Your app reads this URI, stores the secret securely, and starts generating codes. You can decode any 2FA QR code using our QR Code Decoder to inspect its contents.

Clock Drift and Time Synchronisation

TOTP requires both the client and server clocks to agree within roughly ±30 seconds. Most implementations accept codes from the previous and next time window (a ±1 window tolerance) to handle slight clock drift. If your codes consistently fail, check that your phone's time is set to automatic/network time.

TOTP in Practice: What Supports It

TOTP is supported by thousands of services including:

  • Google, GitHub, Dropbox, Amazon, Microsoft
  • All major cryptocurrency exchanges
  • Password managers (Bitwarden, 1Password, LastPass)
  • VPN providers and SSH servers
  • WordPress, Shopify, and most CMSs

Try generating a live TOTP code right now with our browser-based TOTP generator — enter any Base32 secret to see the current code.

Frequently Asked Questions

Is TOTP the same as Google Authenticator?

Google Authenticator is an app that implements the TOTP standard. TOTP is the open algorithm — any app that follows RFC 6238 (Authy, Microsoft Authenticator, Bitwarden, etc.) works with any service that uses TOTP. They're all interchangeable.

What algorithm does TOTP use?

Standard TOTP uses HMAC-SHA1. Some services optionally support HMAC-SHA256 or HMAC-SHA512 for stronger hashing, but SHA1 remains the default because it's universally supported and has not been broken in the HMAC context.

How many digits does a TOTP code have?

6 digits is the standard. Some services use 8 digits for additional security. Both are specified in RFC 6238. The number of digits is encoded in the setup QR code.

Can TOTP codes be intercepted?

Not by passive eavesdropping — the secret is never transmitted. Real-time phishing (a fake login page that relays your code instantly) is the main theoretical attack, but it's complex to execute and can be defeated by using a hardware security key.

What is the period/interval for TOTP?

30 seconds is the standard. The period is configurable (some services use 60 seconds), and it's included in the setup QR code URI. Most authenticator apps support custom periods.

Shoyeb Akter

Written by

Security Tools Developer and creator of 2FA Fast — a privacy-first browser-based authenticator and security tools platform.