Two-factor authentication (2FA) adds a second layer of security to account logins. TOTP (Time-Based One-Time Password) is the technology behind authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator. Understanding how TOTP works helps developers implement it correctly and understand its security properties.
The TOTP Algorithm
TOTP generates a 6-digit code from two inputs: a shared secret key and the current time (rounded to a 30-second window). The algorithm is defined in RFC 6238 and works like this:
First, take the current Unix timestamp and divide it by 30 to get a time step counter. Second, compute an HMAC-SHA1 hash of the counter using the shared secret as the key. Third, extract a 4-byte value from a specific offset in the hash. Fourth, compute that value modulo one million to get a 6-digit code with leading zeros as needed.
Because both the server and the authenticator app know the shared secret and both have access to the current time, they independently compute the same code. The server accepts codes from a small time window (typically the current step plus or minus one step) to account for clock skew.
Why TOTP Is More Secure Than SMS
SMS-based 2FA sends a code via text message. This is vulnerable to SIM swapping (convincing a mobile carrier to transfer a phone number to the attacker's SIM card) and SS7 protocol attacks (exploiting weaknesses in the telephone signaling network to intercept messages). Authenticator app TOTP codes never travel over the phone network and cannot be intercepted the same way.
The Shared Secret
During 2FA enrollment, the server generates a random secret key (typically 16 to 32 bytes) and encodes it in Base32. This key is shared with the user's authenticator app, usually via a QR code. The QR code encodes a URI in the format: otpauth://totp/AccountName?secret=BASE32SECRET&issuer=AppName.
The shared secret must be stored securely by the server. If it is compromised, an attacker can generate valid TOTP codes indefinitely.
Testing TOTP in Development
During development, you often need to generate TOTP codes for test accounts without a physical phone. The DevHexLab TOTP Generator lets you paste any TOTP secret key and see the current code along with its remaining validity time.
Open the tool at /tools/security/totp-generator. Paste the Base32 secret. The current 6-digit code appears along with a countdown. Use this to log in with test accounts or to verify your 2FA implementation is working correctly.
Frequently Asked Questions
What happens if my phone's clock is wrong?
TOTP depends on synchronized time. Most devices synchronize their clock via NTP automatically. The server typically allows a one-step tolerance (30 seconds) in each direction to handle minor clock differences.
Can TOTP codes be reused?
Properly implemented TOTP servers mark each used code as spent within its time window to prevent replay attacks. A code used once cannot be used again within the same 30-second window.
What is HOTP vs TOTP?
HOTP (HMAC-based OTP) uses a counter rather than the current time. It generates a new code only when you explicitly request one. TOTP rotates automatically every 30 seconds. TOTP is more widely used because it does not require counter synchronization between the client and server.
Implement TOTP correctly and your application's 2FA is resistant to the most common account takeover attacks.