The short version
TOTP stands for Time-Based One-Time Password. It’s the system behind apps like Google Authenticator and Authy that generate 6-digit codes you type in when logging into your accounts. Each code is valid for 30 seconds, then a new one replaces it.
That’s the basic idea. But how it actually works under the hood is surprisingly straightforward.
A secret key and a clock
TOTP needs two ingredients: a secret key and the current time.
When you set up two-factor authentication on a website, the site generates a random secret key and shares it with you, usually as a QR code. Your authenticator app scans the code and stores the key. The website also stores a copy. After that initial exchange, the secret never gets transmitted again.
Here’s where it gets interesting. Both your authenticator app and the website’s server have a clock. They both know what time it is. So they can independently combine the secret key with the current time, run it through the same math, and arrive at the same 6-digit code. No communication needed.
When you type a code into the login form, the server generates its own code using the same secret and the current time, then checks if they match. If they do, you’re in.
What the math looks like
You don’t need to understand the cryptography to use TOTP, but here’s the gist if you’re curious.
The current time gets divided into 30-second intervals. Right now, there’s a number that represents “how many 30-second blocks have passed since January 1, 1970” (that’s the Unix epoch, a common reference point in computing). That number is called the time step.
The algorithm feeds the secret key and the time step into HMAC-SHA1, a one-way hash function. The output is a long string of bytes. TOTP extracts a chunk of that output, converts it to a number, and takes the last 6 digits. That’s your code.
Because the time step changes every 30 seconds, the code changes too. And because the hash function is one-way, someone who sees a code can’t reverse-engineer your secret key from it.
Why codes expire
The 30-second window is a trade-off. Shorter windows would be more secure, longer ones would give you more time to type. Thirty seconds landed as a sensible default in RFC 6238, the specification that defines TOTP.
Most servers will actually accept codes from the previous and next 30-second windows as well, to account for clock drift between your device and the server. So you usually have about 90 seconds in practice.
Once a code expires, it’s worthless. Someone shoulder-surfing your screen has a very narrow window to use what they see, and many services will reject a code that’s already been used once.
RFC 6238: the standard
TOTP isn’t proprietary. It’s defined in RFC 6238, published by the Internet Engineering Task Force (IETF) in 2011. The spec builds on an earlier standard called HOTP (RFC 4226), which uses a counter instead of time. TOTP just replaced the counter with a time step.
Because it’s an open standard, any authenticator app can generate codes for any service that supports TOTP. You’re not locked into a specific vendor. Google Authenticator, Authy, 1Password, Bitwarden, and dozens of others all use the same algorithm.
How TOTP compares to regular passwords
A regular password is static. It’s the same string every time you log in. If someone steals it through a data breach, phishing, or malware, they can use it over and over until you change it.
TOTP codes are different in a few ways:
- They change every 30 seconds, so a stolen code is only useful for a brief moment
- They’re generated from a secret that never leaves your device after setup
- They can’t be phished in the traditional sense, because by the time an attacker tries to use one, it’s probably expired
- They don’t rely on your ability to create and remember something complex
That said, TOTP isn’t a replacement for passwords. It’s an additional layer. You still need a password (something you know), and the TOTP code proves you also have access to the device with the secret key (something you have).
The practical side
Setting up TOTP usually takes about a minute per account. The service shows you a QR code, you scan it with your authenticator app, and you confirm by entering one code. That’s it.
From then on, logging in takes an extra 10 seconds. You open your authenticator, find the right account, read the code, and type it in. It’s a small friction that makes your account dramatically harder to break into.
Some people worry about losing access to their authenticator app. That’s a valid concern. Most services give you backup codes during setup. Save those somewhere secure. You can also use authenticator apps that support cloud backup, or keep your secret keys stored in a password manager.
Try it yourself
If you want to see TOTP in action without committing to anything, you can generate codes at 2fa.zip. It runs entirely in your browser, with no secrets sent to any server, so it’s a good way to get a feel for how the codes work before setting up 2FA on your real accounts.