The 30-second numeric code an authenticator app generates offline, so a stolen password alone won't get an attacker into your system.
Automate access, reduce risk, and stay audit-ready
Last Updated date: July 2026
A Time-Based One-Time Password (TOTP) is a temporary numeric code, typically 6 digits, generated by combining a shared secret key with the current time stamp. The code refreshes every 30 seconds, expires immediately after use, and is the most widely deployed second factor in modern two-factor authentication (2FA) systems.
| Field | Detail |
|---|---|
| Category | Authentication / Multi-Factor Authentication (MFA) |
| Related to | OTP, 2FA, MFA, IAM, Identity Governance |
| Primary use | Verifying user identity at login without reusing static credentials |
| Key benefit | Short-lived codes resist phishing, credential stuffing, and replay attacks |
| Standard | RFC 6238 (IETF) |
| Code lifetime | 30–60 seconds |
Static passwords are a liability. Once stolen, through phishing, data breaches, or credential stuffing, they remain valid until manually changed. TOTP eliminates this window.
Because each code expires in 30 seconds, an attacker who intercepts one has almost no time to use it. This makes TOTP a foundational control in any Zero Trust architecture or IAM program that takes least privilege seriously.
For organizations under regulatory pressure (SOX, HIPAA, PCI-DSS), TOTP also satisfies the "something you have" authentication factor requirement without relying on SMS, which is vulnerable to SIM-swapping.
TOTP is a standardized algorithm (RFC 6238) that both the authenticator app and the server run independently. No network call is required during code generation.
Step-by-step:
Neither the user nor the server transmits the secret after initial setup. Authentication is purely computational.
Shared Secret Key
Generated at enrollment, stored securely on both the server and the authenticator app. Never transmitted after setup. Compromise of this key compromises the TOTP factor.
Time Reference (Unix Epoch)
Both parties use coordinated universal time (UTC). Clock drift greater than ±30 to 60 seconds causes authentication failures. This is the most common operational issue with TOTP deployments.
HMAC-SHA1 Algorithm
The cryptographic function that transforms the secret + timestamp into a deterministic, unpredictable code. SHA-256 variants are increasingly used for stronger assurance.
Authenticator App
The user-side software that stores the secret and generates codes. Common apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password. Hardware tokens (YubiKey) can also generate TOTP codes.
Verification Server
The identity management system or IAM platform that validates the submitted code. Enterprise deployments route TOTP verification through a centralized access management layer.
Financial Services
Banks and trading platforms use TOTP to satisfy PCI-DSS Requirement 8 (strong authentication for administrative access) and protect customer-facing portals. Many institutions have moved from SMS OTP to TOTP specifically to eliminate SIM-swap fraud risk.
Healthcare
HIPAA requires multi-factor authentication for systems accessing Protected Health Information (PHI). TOTP satisfies this requirement without relying on network-dependent SMS delivery, which is critical for clinical environments with unreliable carrier coverage.
Enterprise SaaS / Tech
Platforms like GitHub, AWS, and Okta expose TOTP enrollment as a first-class MFA option. DevOps and cloud security teams routinely enforce TOTP for privileged accounts and CI/CD pipeline credentials.
Manufacturing and OT
Operational technology environments often restrict internet-connected SMS delivery. TOTP's offline generation model makes it viable for air-gapped or semi-connected environments where worker authentication still has to be strong.
| Factor | TOTP | SMS OTP | Push Notification |
|---|---|---|---|
| Phishing resistance | Moderate | Low | Moderate |
| SIM-swap risk | None | High | None |
| Offline capability | Yes | No | No |
| Replay resistance | Yes | Yes | Yes |
| Setup complexity | App required | Phone number only | App required |
| Enterprise suitability | High | Low–Medium | High |
| Standard | RFC 6238 | Proprietary/carrier | Proprietary |
Bottom line: TOTP outperforms SMS OTP on every security dimension. Push notifications offer a better user experience but require persistent internet connectivity. For regulated industries, TOTP is the floor. Hardware security keys (FIDO2/WebAuthn) are the ceiling.
Deploying TOTP organization-wide requires more than handing out authenticator apps. A structured rollout through your identity governance platform makes sure you get coverage, compliance, and recoverability.
Device dependency
Losing the enrolled device locks the user out unless backup codes were saved. This is the single most common TOTP support issue in enterprise deployments.
Clock drift
TOTP requires synchronized time between the device and server. A device with a significantly skewed clock will generate codes that consistently fail, which causes silent authentication breakdowns.
Real-time phishing
Sophisticated phishing attacks can relay TOTP codes in real time. The attacker captures the code within its 30-second window. FIDO2 hardware keys eliminate this vector entirely.
Enrollment visibility
In large organizations, tracking which users have enrolled TOTP (and which haven't) requires integration with an identity lifecycle management or IGA platform. Manual auditing doesn't scale.
TOTP stands for Time-Based One-Time Password. It's a type of one-time passcode that changes every 30 seconds, defined in the IETF standard RFC 6238.
A regular OTP (one-time password) is typically delivered via SMS or email and doesn't expire based on time. TOTP is generated locally on your device using a time-based algorithm. No delivery channel is needed, and the code expires automatically after 30 seconds regardless of whether it was used.
No, but TOTP is one of the most common methods used to implement 2FA. Two-factor authentication (2FA) is the concept. TOTP is a specific mechanism that satisfies the "something you have" authentication factor.
TOTP is highly resistant to most attacks. The primary risks are: real-time phishing (relay attacks within the 30-second window), device theft with an unlocked authenticator app, or compromise of the original shared secret at enrollment. For high-assurance environments, FIDO2 hardware tokens provide stronger protection.
The most widely used TOTP authenticator apps are Google Authenticator, Microsoft Authenticator, Authy, and 1Password. Enterprise IAM deployments often integrate TOTP generation directly into hardware tokens like YubiKey.
Yes. TOTP code generation is entirely offline. The app uses only the device clock and the stored secret key. No network connection is needed at the moment of code generation.
One-Time Password (OTP)
Multi-Factor Authentication (MFA)
Two-Factor Authentication (2FA)
HMAC (Hash-Based Message Authentication Code)
FIDO2 / WebAuthn
Identity and Access Management (IAM)
Privileged Access Management (PAM)
Zero Trust Security