TOTP, or Time-Based One-Time Password, is an algorithm that generates a short numeric code (typically six digits) that changes every 30 seconds. It is defined in RFC 6238 and is one of the most widely adopted methods for implementing two-factor authentication. Users typically set up TOTP by scanning a QR code with an authenticator application, which stores the shared secret and generates codes locally on the device.
How It Works
TOTP relies on two inputs: a shared secret key established during enrollment and the current Unix timestamp. The algorithm divides the current time by a fixed interval (usually 30 seconds) to produce a time counter. This counter and the shared secret are fed into an HMAC-SHA1 function, and the output is truncated to produce a numeric code. Because both the server and the authenticator app share the same secret and use the same time source, they independently generate the same code at the same time.
During authentication, the user enters the code displayed in their authenticator app alongside their password. The server generates its own expected code using the stored secret and current time, then compares them. Most implementations accept codes from one or two adjacent time windows to account for clock drift between the server and the user's device.
The security of TOTP depends on the secrecy of the shared key. If an attacker obtains the secret during enrollment (for example, by intercepting the QR code or accessing the server's secret storage), they can generate valid codes indefinitely. Additionally, TOTP codes are phishable: an attacker who captures a code in real time through a phishing site can replay it within the valid time window.
Why It Matters
TOTP significantly raises the bar for account compromise because an attacker needs both the user's password and access to their authenticator device. However, it is not immune to attack. Security assessments should verify that TOTP secrets are stored securely, that backup codes are handled properly, that rate limiting prevents brute-force attempts against the six-digit code space, and that the enrollment process cannot be hijacked.
Need your application tested? Get in touch.