time-based one-time password (TOTP)

Contributor(s): Colin Steele

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers. In two-factor authentication scenarios, a user must enter a traditional, static password as well as a time-based one-time password to gain access to digital information or a computing system. Typically, the temporary passcode expires after 30, 60, 120 or 240 seconds.  

Two-factor authentication is a common method for verifying the identity of users. It authenticates users based on two conditions: something they know and something they have. For example, if a user logs into their bank account with their username and password, an SMS message or an email with a random code will be sent for the user to input into the banking service prior to logging in. The username and password are known to the user, and the random code is sent to a device the user owns.

There are various methods available for the user to receive a time-based one-time password, including:

  • hardware security tokens which display the password on a small screen;
  • mobile authenticator apps, such as Google Authenticator;
  • text messages sent from a centralized server;
  • email messages sent from a centralized server;
  • voice messages sent from a centralized server. 
What is a TOTP?

Time-based one-time passwords provide additional security, because even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly. TOTP is an approved standard of the Internet Engineering Task Force (IETF). 

Difference between time-based and non-time-based OTP

While time-based algorithms use the time (along with a shared secret or token) to generate a password,  non-time-based algorithms start with a seed value and use hash functions to generate passwords. After the initial password is generated, the prior password is used as input to generate the next password. Other OTP standards include the S/KEY One-Time Password System (RFC 1760), One-Time Password System (RFC 2289) and the HMAC-Based One-Time Password Algorithm.

This was last updated in July 2019

Continue Reading About time-based one-time password (TOTP)

Dig Deeper on Web authentication and access control

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

SMS based 2FA is not completely safe, as it is vulnerable to SIM swap attacks. That's why it is recommended to use either a 2FA app like TOTP Authenticator or a hardware key like Yubikey.
2FA apps can come in handy when you are someplace where you don't have cell service.