Back to all articles

Understanding TOTP: How Time-Based One-Time Passwords Work

Tatsuro Matsuzaki
6 min read
SecurityAuthenticationTOTP

Learn the technical details behind TOTP authentication and why it's more secure than traditional password methods.

What is TOTP?

Time-based One-Time Password (TOTP) is an algorithm that generates a one-time password which uses the current time as a source of uniqueness. TOTP is an extension of the HMAC-based One-time Password algorithm (HOTP) that generates a one-time password by combining a secret key with a counter.

How TOTP Works

TOTP works by taking the following inputs: a shared secret key (known to both the authenticator app and the server) and the current time, typically rounded to 30-second intervals. The algorithm then performs the following steps: 1) The current time is converted to a counter value (typically the number of 30-second intervals since Unix epoch), 2) The counter is combined with the secret key using an HMAC algorithm (usually HMAC-SHA1), 3) A portion of the resulting hash is extracted and converted to a 6-8 digit code.

  • A shared secret key (known to both the authenticator app and the server)
  • The current time, typically rounded to 30-second intervals
  1. The current time is converted to a counter value (typically the number of 30-second intervals since Unix epoch)
  2. The counter is combined with the secret key using an HMAC algorithm (usually HMAC-SHA1)
  3. A portion of the resulting hash is extracted and converted to a 6-8 digit code

Why TOTP is Secure

TOTP offers several security advantages:

  • Time-limited: Each code is only valid for a short period (typically 30 seconds)
  • One-time use: Once a code is used, it cannot be reused
  • Independent of password: Even if your password is compromised, attackers still need the TOTP code
  • Offline generation: Codes can be generated without an internet connection

TOTP vs. SMS-based 2FA

While SMS-based two-factor authentication is better than no 2FA at all, TOTP offers several advantages:

  • Not vulnerable to SIM swapping attacks
  • Works without cellular service or internet connection
  • No delay waiting for SMS delivery
  • Not subject to SMS interception

Managing TOTP with 2FA Cloud KtYm

While TOTP is more secure than SMS-based 2FA, managing multiple TOTP secrets across different accounts and devices can be challenging. This is where 2FA Cloud KtYm comes in, offering:

  • Secure cloud storage of your TOTP secrets
  • Synchronization across all your devices
  • Team sharing capabilities for business accounts
  • Encrypted storage to protect your authentication data

Conclusion

TOTP provides a robust second factor for authentication that significantly enhances the security of your online accounts. By understanding how TOTP works, you can make more informed decisions about your digital security strategy. With 2FA Cloud KtYm, you can enjoy the security benefits of TOTP while eliminating the management headaches that often come with it.