TOTP - Time-Based One-Time Passwords for 2FA
About 2 min read
TOTP (Time-based One-Time Password) is a one-time password mechanism that generates codes based on the current time. It is widely used in authenticator apps such as Google Authenticator and Microsoft Authenticator. A new 6-digit code is typically generated every 30 seconds and functions as a two-factor authentication element added to the password. As of 2024, TOTP is the most widely adopted two-factor authentication method, and the majority of major services such as Google, GitHub, and AWS support it.
Real-World Use Cases
"We made TOTP mandatory for our AWS production environment accounts. We had all IAM users complete the authenticator app setup and applied a policy that prevents logging into the console without MFA."
The TOTP Generation Flow
How TOTP Works
TOTP is an algorithm standardized in RFC 6238. Using a secret key shared between the server and client together with the current time as inputs, it computes a hash value with HMAC-SHA1 and extracts a 6-digit number from it. As long as the server and client clocks are synchronized, the same code is generated, so authentication succeeds.two-factor authentication books on Amazon let you learn the technical details.
Concrete Usage Scenarios
A common misconception is that "SMS authentication and TOTP offer the same level of security." SMS authentication carries the risk of interception through SIM swap attacks or exploitation of vulnerabilities in the SS7 protocol. Because TOTP is self-contained within the device, it is far more secure against these attacks. NIST (the U.S. National Institute of Standards and Technology) also recommends the use of TOTP or hardware keys over SMS authentication.
By combining TOTP with a strong password generated by a password manager, you can prevent unauthorized logins even if the password leaks. Store the TOTP secret key securely along with your backup codes. In case you lose the smartphone running your authenticator app, the practical best practice is to print the backup codes on paper and keep them in a safe, or to set up the authenticator app on multiple devices.account protection books (Amazon) are also a helpful reference.
Was this article helpful?