What is a Time-Based One-Time Password (TOTP)?

A Time-Based One-Time Password (TOTP) is an authentication method in which unique codes are generated every 30 to 60 seconds based on an algorithm. Used for Multi-Factor Authentication (MFA), users enter a TOTP code after entering their password in order to verify their identity and access an account.

How TOTP works

TOTP hinges on a secret algorithm that generates codes. The algorithm, which is unique for each instance, uses the current time as a factor. This allows the algorithm to produce a new, unique code every 30 to 60 seconds.

Each time a user initiates the creation of a new TOTP for an account, the account servers will generate a unique, secret algorithm, usually displayed as a QR code. The server keeps the secret and uses it to generate the TOTP codes.

The user will scan the QR code with an authenticator tool, which can be a dedicated phone app or a feature of a password manager. Because the authenticator tool now has the secret algorithm, it calculates the same exact six-digit codes that the server does.

Once it’s set up, the algorithm runs simultaneously on both the server and the user’s authenticator tool, producing the same exact six-digit codes at the same exact time.

When a user logs in, they enter the current code displayed on their authenticator tool. The server will compare the code it calculated to the user’s code. If the codes match, the user is verified and granted access.

An illustration showing the process of how time-based one-time passwords (TOTP) work. It includes a QR code generated by a server displaying a temporary code, an authenticator app with which the secret is shared with, a six-digit code generated by the app and a symbol to convey the idea of enhanced authentication.

How to use TOTP

Here are the steps to using TOTP:

  1. Choose your authenticator tool. We recommend using a password manager to generate your TOTP codes because it streamlines the login process and doesn’t require you to use multiple devices just to log into your account.

  2. Request a secret algorithm from your account. Log into your account and find the security settings. If TOTP codes are an MFA option for your account, you will see a setting to request a QR code.

  3. Scan the QR code with your authenticator tool. Whatever app you’re using will have a way to scan the QR code, most likely using either your phone camera or a screenshot function.

  4. You’re all set up! Whenever you log in and the server requests a code for authentication, consult your authenticator tool to find the displayed code. Be sure to enter the code before the time is up and the code changes (usually every 30 to 60 seconds).

Why you should use TOTP authentication

TOTP is one of the most secure and convenient forms of multi-factor authentication. MFA is recommended for all accounts and operates as an additional layer of security for your password. If someone obtains a password and tries to log into an account that has MFA enabled, they won’t be able to gain access without the second authentication method.

Passwords are frequently compromised in mass data breaches and other cyber attacks. This makes MFA vital. If you don’t use MFA on your accounts, cybercriminals can easily log in with stolen credentials and access your confidential data.

What makes TOTP one of the most secure forms of MFA is that the codes are independently calculated by the two parties. Because of this, the codes don’t need to be communicated between the parties. The code cannot be intercepted as long as the algorithm remains a secret. The fact that the code changes so frequently provides an additional layer of security.

Compared to a traditional verification code, usually sent by email or text, TOTP is much more secure. This is because emails and texts are not encrypted and can be easily intercepted by cybercriminals.

OTP vs. TOTP vs. HOTP

The difference between OTP, TOTP and HOTP is the type of factor used to calculate the resulting password code.

A One-Time Password (OTP) is an umbrella term referring to any kind of one-use code used for authentication. These verification codes can be generated in a variety of ways, some of which can be more secure than others.

TOTP, as we’ve established, is a type of OTP that uses time as a factor in calculating the code. The factor changes as time passes, meaning that a new code is generated every 30 to 60 seconds. Because TOTP changes so frequently, it’s the most secure type of OTP.

A Hash-Based One-Time Password (HOTP) works similarly, except it uses a different factor to calculate the code – in this case, a Hash-Based Message Authentication Code (HMAC). An HMAC counts the number of times a code is requested and uses that to calculate the code. The code changes each time a code is requested, as opposed to changing every 30 to 60 seconds.

Comparing OTP types
  • TOTP
    • Uses the current time as a basis for generating codes
    • Changes every 30 to 60 seconds
    • Most secure method
  • HOTP
    • Uses code request count as a basis for generating codes
    • Stays the same until a new code is requested
    • Still secure, but less so than TOTP

Time-Based One-Time passwords are a convenient solution for securing your accounts. Keeper Password Manager makes it simple to set up TOTP for all your accounts, along with generating strong passwords. With KeeperFill, the login process is a breeze. Keeper will automatically fill in your password and TOTP codes so your accounts can be secure without the inconvenience of other MFA methods.

English (US) Call Us