How TOTP (Time-Based OTP) Works

Understanding TOTP: The Algorithm Behind 2FA

TOTP (Time-Based One-Time Password) is the algorithm that powers most two-factor authentication apps, including Google Authenticator, Authy, and Microsoft Authenticator. Defined in RFC 6238, TOTP generates short-lived numeric codes that prove you possess a shared secret.

The Core Mechanism

TOTP works by combining two inputs:

1. A shared secret key — a random value known to both the server and your authenticator app
2. The current time — divided into fixed intervals (typically 30 seconds)

The algorithm computes an HMAC-SHA1 (or SHA-256/SHA-512) hash of the time counter using the secret key, then extracts a numeric code from the hash through a process called dynamic truncation.

TOTP = Truncate(HMAC-SHA1(secret, floor(time / period)))

Step-by-Step Breakdown

1. Get the current Unix timestamp (seconds since January 1, 1970)
2. Divide by the time period (default: 30 seconds) and take the floor — this is the time counter T
3. Encode the counter as an 8-byte big-endian integer
4. Compute HMAC using the shared secret and the counter bytes
5. Dynamic truncation: extract 4 bytes from the HMAC at an offset determined by the last nibble
6. Modulo reduction: reduce the 31-bit integer to the desired number of digits (e.g., mod 10^6 for 6 digits)

Why It Works

Because both the server and your device share the same secret and use synchronized clocks, they independently generate the same code at the same time. The code changes every 30 seconds, so even if an attacker intercepts one code, it expires before they can reuse it.

Security Properties

• Codes are time-limited — valid only for the current window
• The secret is never transmitted after initial setup
• Each code is unpredictable without knowing the secret
• The algorithm is well-audited and standardized