TOTP & Two-Factor Authentication
Two-factor authentication (2FA) strengthens login by requiring a second proof of identity in addition to a password, so a stolen password alone is not enough to get in. The most common app-based second factor is a TOTP — a Time-based One-Time Password — the six-digit code that authenticator apps display and refresh every thirty seconds. TOTP is appealing because, once set up, it works entirely offline: the app and the server independently compute the same code from a shared secret and the current time, with nothing sent over the network. This guide explains what 2FA protects against and exactly how TOTP generates those codes, is provisioned, and is recovered when a device is lost.
1. What 2FA is and the factor categories
Authentication factors fall into categories: something you know (a password or PIN), something you have (a phone or hardware key), and something you are (a fingerprint or face). Two-factor authentication requires factors from two different categories, so that compromising one is not sufficient on its own. A password plus a code from your phone combines “something you know” with “something you have,” which is why a leaked password no longer grants access by itself. Requiring two of the same category — two passwords — would not count as genuine 2FA.
2. The shared secret
TOTP begins with a secret key that the server generates and shares with your authenticator app exactly once, during setup. This secret is a random value, usually shown as a Base32-encoded string, and both sides store it permanently from then on. Because both the app and the server hold the same secret, each can independently compute the same codes without any further communication. The security of the whole scheme rests on this secret staying private — anyone who obtains it can generate valid codes, so it should be transmitted only over a secure channel and never logged.
3. Time steps and the 30-second window
TOTP derives its codes from the current time, divided into fixed intervals called time steps, conventionally 30 seconds long. The algorithm takes the number of whole 30-second steps elapsed since the Unix epoch and uses that counter as the changing input, which is why the code refreshes roughly twice a minute. Because both sides read the same clock, they compute the same counter and therefore the same code without exchanging anything. This dependence on time means the device’s clock must be reasonably accurate; large clock drift causes the codes to mismatch.
4. How the code is computed with HMAC
TOTP is built on HMAC: it computes an HMAC (commonly HMAC-SHA1) of the time-step counter using the shared secret as the key, producing a hash. A step called dynamic truncation then selects a few bytes from that hash and reduces them to a short number, typically the familiar six digits. Because HMAC is deterministic, the same secret and counter always yield the same code, yet the secret cannot be recovered from the codes. The server verifies a submitted code by computing the expected value for the current time step and comparing — usually also checking one step on each side to tolerate slight clock skew and entry delay.
5. QR provisioning and otpauth URIs
To enrol a device without typing the secret by hand, servers encode the setup data in an `otpauth://` URI and render it as a QR code. The URI looks like `otpauth://totp/Service:alice@example.com?secret=BASE32SECRET&issuer=Service`, carrying the shared secret along with the account label, the issuer name, and optionally the algorithm, digit count, and period. Scanning the QR code lets the authenticator app read all of this at once and store the secret correctly. The same data can be entered manually as a fallback, which is why setup screens usually show the secret string alongside the QR code.
6. Backup codes and recovery
TOTP has one practical weakness: if you lose the device holding the secret, you can no longer generate codes and may be locked out. To guard against this, services issue a set of one-time backup (recovery) codes at setup, which you store somewhere safe and apart from the device. Each backup code works once in place of a TOTP code, letting you sign in and re-enrol a new authenticator if your phone is lost or reset. Treat these codes with the same care as a password, since anyone holding them can bypass the second factor entirely.