securitya-plusBeginner24 min read

What Is Time-based One-time Password? Security Definition

Also known as: Time-based One-time Password, TOTP definition, TOTP vs SMS, multi-factor authentication, CompTIA A+ TOTP

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A Time-based One-time Password, often called TOTP, is a short code that appears on an app like Google Authenticator. This code changes every 30 seconds, so even if someone steals it, they cannot use it later. You enter this code along with your regular password to prove you have your phone or device. It adds a second layer of protection beyond just your password.

Must Know for Exams

Time-based one-time passwords appear prominently in both CompTIA A+ (220-1101 and 220-1102) and CompTIA Security+ (SY0-601 and SY0-701) exams. In A+ exams, TOTP is covered under the domain of security best practices for mobile devices and workstation authentication. You may be asked to identify TOTP as a method of multi-factor authentication or to configure it on a device. The A+ exam focuses on the user's perspective how to set it up and what it does rather than the algorithm details.

On the Security+ exam, TOTP appears in several domains. In Domain 1 (Attacks, Threats, and Vulnerabilities), you might see scenarios where an attacker steals a TOTP code through phishing or man-in-the-middle attacks. In Domain 3 (Implementation), you will encounter questions about deploying authentication solutions. The exam tests your understanding of TOTP as something you have factor, its resistance to replay attacks, and its place alongside other methods like SMS OTP, push notifications, and hardware tokens. Security+ also covers the concept of time drift and tolerance windows.

Both exams may present a scenario where a company must choose between SMS-based one-time passwords and TOTP. The correct answer often highlights that TOTP is more secure because it is not vulnerable to SIM swapping or interception by mobile carriers. Another common question type asks about the time window for TOTP, typically 30 seconds, and what happens if the user's phone clock is incorrect. You should know that servers usually accept codes from one or two steps before and after to handle minor clock differences. These exam objectives make TOTP a high-priority topic for anyone pursuing A+ or Security+ certifications.

Simple Meaning

Imagine you have a key for your front door, but you also install a lock that requires a secret handshake that changes every minute. Even if someone copies your key, they still need to know today's handshake, which is already different a minute later. A Time-based One-time Password, or TOTP, works similarly. It is a small code, usually six digits, that your phone or a security app generates for you. This code is based on the current time and a secret that only you and the service share. Every 30 seconds, the code changes to a new, random-looking number.

Think of it like a busy post office where each package needs a special stamp that changes every hour. The postal clerk knows the pattern, but the customer only gets a new stamp each hour from a machine that syncs with the clerk's list. If someone tries to use an old stamp the next day, it will not work. That is exactly how TOTP works. Your phone and the website share a secret key, and both look at the same clock. They use this information to compute a short code that matches for exactly 30 seconds. After that, both sides compute a new code.

This system is very common for two-factor authentication (2FA). You might have used it to log into your email, bank, or work account. When you turn on this protection, you first enter your password, then you open an app like Google Authenticator, Authy, or Microsoft Authenticator on your phone. The app shows a six-digit number. You type that number into the login page. Because the code changes every 30 seconds, a thief who steals the code from a screenshot cannot use it even a minute later. This makes your account much safer.

Full Technical Definition

A Time-based One-time Password (TOTP) is a one-time password algorithm specified in RFC 6238. It is an extension of the HMAC-based One-time Password (HOTP) algorithm defined in RFC 4226. The key innovation is that the moving factor is time-based rather than a counter. TOTP relies on the current Unix time (seconds since January 1, 1970) divided by a time step, most commonly 30 seconds. This time step serves as the input to a hash-based message authentication code (HMAC) using a shared secret key.

To generate a TOTP value, the server and the client must share a secret key, typically 128 bits or longer, and maintain synchronized clocks. The process works as follows. First, both sides obtain the current Unix time and divide it by the time step (e.g., floor(Unix time / 30)). This integer becomes the moving factor. Then, this moving factor is used as the input to an HMAC function, usually HMAC-SHA1, with the shared secret key. The resulting 20-byte hash is then truncated to a shorter value, typically 4 to 8 digits, using a dynamic truncation algorithm described in RFC 4226. The result is a numeric code that is valid only for the current time window.

TOTP is widely implemented in authentication systems, including Google Authenticator, Authy, and hardware tokens like RSA SecurID (which uses a variant). Servers store the shared secret, often encoded as a Base32 string, and the user scans a QR code to load that secret into their authenticator app. Both sides then independently compute the same code. The server typically allows a small time drift of one or two time steps before and after the current window to account for minor clock skew. This is called the tolerance window. For security, TOTP secrets should be stored encrypted on the server, and transmission of the code should occur over a secure channel like TLS.

In real IT environments, TOTP is used in conjunction with other methods for multi-factor authentication (MFA). It is a standard component in identity and access management (IAM) systems such as Azure Active Directory, Okta, and Duo Security. TOTP is considered more secure than SMS-based one-time passwords because it is not vulnerable to SIM swapping attacks. It is also a key requirement for compliance with regulations like PCI DSS and HIPAA, which mandate strong authentication for remote access. The primary security risk is that if an attacker steals the shared secret (e.g., through a server breach or malware on the user's device), they can generate valid codes. Therefore, TOTP is often combined with a short code expiry and rate limiting to prevent brute-force attacks.

Real-Life Example

Think about a secure office building. Employees have a photo ID card (like a password) to get in. But the building also has a guard station where you must state a daily passphrase (like a one-time password). The passphrase is printed on a piece of paper that the receptionist changes every morning. If you come in the afternoon with the morning's passphrase, the guard will know it is outdated and you will not be allowed in. This is exactly the principle behind a Time-based One-time Password.

Now imagine instead of a paper passphrase, each employee has a special watch that shows a new passphrase every 30 seconds. The watch and the guard's master list are perfectly synchronized. When you arrive at the guard station, you read the current number from your watch and say it to the guard. The guard checks his list, sees that the number matches the current time window, and lets you in. Even if someone sees your number as you say it, by the time they try to use it a minute later, the watch would show a completely different number, and the guard would not accept it.

Mapping this to the IT concept, the employee's watch is the authenticator app on your phone. The guard's master list is the server that stores the shared secret key. Both the watch and the guard are set to the same clock. The changing number is the TOTP code, and the 30-second interval is the time step. The photo ID card is your regular password. Together, they make access much harder for an intruder. This real-world system shows how two separate factors something you know (password) and something you have (phone or watch) work together to protect valuable resources.

Why This Term Matters

Time-based one-time passwords matter because passwords alone are no longer sufficient for securing accounts. Data breaches expose millions of passwords every year. Employees reuse passwords across services. Phishing attacks trick users into typing their credentials into fake websites. TOTP provides a critical second layer of defense. Even if an attacker steals your password, they cannot log in without the current code from your phone. This drastically reduces the success rate of credential theft attacks.

For IT professionals, implementing TOTP is one of the most cost-effective ways to improve security. It does not require expensive hardware tokens for every user. Most employees already have a smartphone, and free authenticator apps are widely available. Setting up TOTP involves a one-time QR code scan and a few minutes of configuration. The return on investment is huge because it blocks the vast majority of automated credential-stuffing attacks and many targeted phishing attempts.

In regulated industries, TOTP is not just a good practice but a requirement. Standards like the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) mandate multi-factor authentication for remote access to sensitive systems. TOTP also plays a crucial role in zero-trust security models, where every access request must be verified regardless of the network location. For system administrators, configuring TOTP for VPN access, administrative consoles, and cloud service portals is a standard task. Understanding how TOTP works helps professionals troubleshoot issues like clock drift, QR code scanning problems, and secret key recovery.

How It Appears in Exam Questions

TOTP appears in several distinct question patterns across CompTIA exams. The most common is the scenario-based question that tests your ability to identify the correct authentication method. For example, a question might describe a user who needs to log in to a VPN from a public Wi-Fi network. The company wants a second factor that is not tied to a phone number. The correct answer would be TOTP via an authenticator app, because it works offline and does not rely on SMS. Another scenario might describe an employee whose phone has a broken screen but can still receive voice calls the exam wants you to see that SMS or voice call is not TOTP.

Another pattern is the troubleshooting question. A user complains that their TOTP codes are not working. The exam question will list possible causes and ask you to select the most likely one. Common answers include clock drift on the user's device, the user entering the previous code, or the secret key being corrupted. You might also see a question about the tolerance window, where the server accepts a code that was valid 30 seconds ago but not 90 seconds ago. The correct reasoning involves understanding the 30-second time step and the typical tolerance of one or two steps.

A third pattern is the configuration question. You might be asked to describe the steps to set up TOTP on a user's device. This includes scanning a QR code or manually entering a secret key. Another question may ask about the security considerations of TOTP, such as the importance of securing the shared secret on the server. You might also see a multiple-choice question that lists several authentication methods and asks which one is based on time synchronization. The correct answer is TOTP, distinguishing it from HOTP (counter-based) or biometrics. Finally, exam questions sometimes present a table of authentication factors and ask you to classify TOTP as something you have, since the code is generated by a device the user possesses.

Practise Time-based One-time Password Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Maria works for a small accounting firm. The firm recently implemented a new policy requiring multi-factor authentication for remote access to customer data. Maria sets up her work laptop at home and opens the remote desktop application. She enters her username and password. The application then asks for a verification code. Maria opens the Google Authenticator app on her phone. The app shows a six-digit number: 482193. She types this number into the application. She is granted access. The whole process takes about 20 seconds.

Now, imagine that Maria accidentally leaves her company laptop unlocked and steps away. A colleague, who has no malicious intent, sees Maria's password written on a sticky note. The colleague could in theory try to log in. However, without the current TOTP code from Maria's phone, which changes every 30 seconds, the colleague cannot complete the login. Even if the colleague had seen the code 482193 a few minutes earlier, that code would now be expired. This scenario illustrates the core value of TOTP: it ties access to both a secret the user knows (password) and a device the user physically has (phone). The time element ensures that even if a code is intercepted, it becomes useless almost immediately.

Common Mistakes

Thinking that TOTP codes are generated randomly by the app and sent to the server each time.

TOTP codes are not random and are not sent anywhere. Both the app and the server independently compute the same code using the same shared secret and the current time. They never transmit the code until the user enters it and sends it over the network.

Understand that the app and server are like two people looking at the same clock and doing the same math problem. They get the same answer, so they can compare later. No code is generated by one side and transmitted to the other beforehand.

Believing that TOTP is the same as SMS-based one-time passwords.

SMS-based OTPs are sent from the server to the user's phone over cellular networks. This is vulnerable to SIM swapping attacks, where a hacker convinces the carrier to transfer the phone number to their SIM card. TOTP codes are generated locally on the user's device and never sent via SMS, making them more secure.

Remember that TOTP is offline and local. SMS OTP is online and server-generated. For exam purposes, TOTP is the preferred method because it avoids the weaknesses of SMS.

Assuming that TOTP codes are valid for a full minute or longer.

The standard time step for TOTP is 30 seconds. Some implementations may use 60 seconds, but 30 seconds is the most common by far. Codes expire after this short window, even if the user has not entered them.

Always associate TOTP with a 30-second expiry time. Know that servers typically allow a small grace period of one or two extra time steps to account for clock differences, but the basic valid window is 30 seconds.

Thinking that you need an internet connection to generate a TOTP code on your phone.

The authenticator app generates the code using the device's clock and the stored secret key. No internet connection is required for the code generation itself. This is why TOTP works even in airplane mode.

Recognize that TOTP generation is a local computation, not a network request. The app simply reads the time and computes the hash. Internet is only needed for the initial setup (QR code scan) and to send the code to the server for verification.

Believing that TOTP is a replacement for a strong password.

TOTP is a second factor. It is used in addition to a password, not instead of it. A TOTP code alone is useless without the corresponding username and password. Both factors are required to authenticate.

Remember the concept of multi-factor authentication. Something you know (password) plus something you have (the device generating the TOTP code) equals stronger security. TOTP only provides the second factor.

Exam Trap — Don't Get Fooled

An exam question describes a scenario where a user's phone is stolen, and asks whether TOTP is still secure. The trap is that the learner might think TOTP becomes completely insecure because the attacker has the phone. Remember that TOTP is typically paired with a password.

The attacker would need both the phone and the user's password. Also, the user can immediately revoke the TOTP secret on the server side, rendering the phone's codes useless. The correct reasoning is that TOTP remains secure as long as the password is not also compromised, and the breach is reported quickly so the secret can be rotated.

Commonly Confused With

Time-based One-time PasswordvsHMAC-based One-time Password (HOTP)

HOTP is also a one-time password algorithm, but it uses a counter (a number that increments with each use) instead of time. Both app and server increase the counter after a successful login. TOTP uses the current time as the moving factor, which changes automatically every 30 seconds without requiring a login event.

A gym membership card that gets a new barcode every 10 uses (HOTP) versus a gym membership card that gets a new barcode every 30 seconds regardless of whether you use it (TOTP).

Time-based One-time PasswordvsSMS One-time Password

An SMS OTP is generated by the server and sent to the user's phone via text message. It is a one time password, but it relies on the mobile network. TOTP is generated locally on the user's device using a shared secret and the device's clock. SMS OTP is vulnerable to SIM swapping while TOTP is not.

SMS OTP is like having a friend call you with a new code each time. TOTP is like having a puzzle book where the answer changes every 30 seconds, and you and the book's creator share the same answer key.

Time-based One-time PasswordvsPush Notification Authentication

Push notification authentication sends an alert to the user's phone asking to approve or deny a login attempt. The user taps a button instead of entering a code. TOTP requires the user to manually type a code. Push notifications require an internet connection on the device, while TOTP can work offline.

Push authentication is like a guard calling your phone and asking if it is you trying to enter. TOTP is like showing a security card that displays a new number every half minute.

Time-based One-time PasswordvsStatic PIN or Password

A static PIN never changes over time. TOTP codes change every 30 seconds. A static PIN is vulnerable to theft and reuse; TOTP codes are valid only for a few seconds, preventing replay attacks.

Static PIN is like a garage door code that stays the same for years. TOTP is like a hotel key card that is reprogrammed with a new code every 30 seconds.

Step-by-Step Breakdown

1

Initial Setup: Secret Key Generation

When a user enables TOTP on a service, the server generates a unique secret key for that user. This key is a long string of random characters. It is the foundation of all future code generation. The server stores this secret key securely, usually encrypted in its database.

2

Secret Key Distribution

The server encodes the secret key, along with the user's account name and the service name, into a QR code. The user scans this QR code with an authenticator app. The app decodes the QR code and stores the secret key locally on the device. The key is now shared between the app and the server.

3

Time Synchronization

Both the authenticator app and the server need accurate clocks. The server uses Network Time Protocol (NTP) to maintain precise time. The user's phone also has a clock, typically synchronized via the cellular network or NTP. The current Unix time is the common reference point.

4

Time Step Computation

Both sides divide the current Unix time by the time step, usually 30 seconds. For example, if the Unix time is 1,700,000,000 seconds, dividing by 30 gives 56,666,666 (rounded down). This integer is the moving factor. It changes every 30 seconds as the time increases.

5

HMAC Generation

The app and the server both compute an HMAC using the shared secret key and the moving factor from step 4. The HMAC algorithm (typically SHA-1) produces a 20-byte (160-bit) hash. This hash is deterministic: the same inputs always produce the same output.

6

Truncation to a Short Code

The 20-byte hash is too long to use as a code. A dynamic truncation algorithm takes a portion of the hash and converts it to a six-digit number. This step ensures the output is user-friendly. The truncation includes an offset byte that determines which part of the hash to use, adding to the security.

7

User Entry and Verification

The user sees the six-digit code on their app and types it into the login page. The code is sent to the server over a secure connection. The server compares the code it computed with the one the user entered. If they match and the time window is still open, the server grants access.

8

Tolerance Window Handling

Because clocks can drift slightly, the server does not only check the current time step. It also checks the codes for the previous time step and the next time step. If the user's code matches any of these, it is accepted. This tolerance handles minor clock drift without requiring the user to resync their device.

Practical Mini-Lesson

As an IT professional, implementing TOTP for your organization requires planning and understanding of the infrastructure. The first step is to choose an identity provider that supports TOTP natively. Cloud services like Azure AD, Okta, and Duo Security have built-in TOTP support. For on-premises environments, you might use Microsoft Active Directory Federation Services (AD FS) with an MFA extension or deploy a RADIUS server with TOTP capabilities. When you configure TOTP, you must decide on the secret key length, typically 128 or 160 bits, and the time step, almost always 30 seconds.

The most critical operational concern is secret key recovery. If a user loses their phone, they cannot generate TOTP codes. You must have a procedure for this, such as providing backup codes during initial setup, allowing users to register multiple devices, or having an administrator reset the TOTP configuration. Some organizations use hardware TOTP tokens as a backup. These tokens are small key fobs that generate codes and never need charging or network connectivity.

From a security perspective, the shared secret is the crown jewel. If an attacker compromises the server database and steals the encrypted secrets, they could potentially generate valid TOTP codes for any user. Therefore, secrets must be stored in a hardware security module (HSM) or encrypted with a strong key derived from a separate system. You should also implement rate limiting on the authentication endpoint to prevent brute-force guessing of the six-digit code. A typical rate limit of five attempts per minute makes it computationally infeasible to guess a code.

Another practical consideration is clock synchronization. While modern smartphones are fairly accurate, issues can arise if a user manually sets their time or if a device does not update its clock regularly. In such cases, the user will see a consistent error. You can guide users to set their device time to automatic. On the server side, ensure that your authentication server uses NTP and monitors for clock skew. The tolerance window of one or two steps covers most minor discrepancies.

Finally, test your TOTP implementation thoroughly. Verify that QR codes scan correctly across different authenticator apps. Confirm that backup codes work. Develop a clear communication plan for users, including instructions on how to set up TOTP, what to do if they lose their phone, and how to recognize phishing attempts that try to steal both the password and the TOTP code. This last point is crucial: attackers have developed real-time phishing proxies that capture the username, password, and the current TOTP code and immediately use them to log in. Advanced MFA systems now use number matching or location-based policies to defend against this, but as a foundation, TOTP remains a strong, widely supported standard.

Memory Tip

TOTP: Time sync makes it Tick. Each code is valid for Only Thirty seconds. Think of it as a watch that shares a secret with the server, and the face shows a new number every half minute.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

How do I set up TOTP for my personal email account?

First, go to your email account's security settings and look for two-factor authentication options. Choose authenticator app. Scan the QR code shown on the screen with an app like Google Authenticator. Enter the six-digit code from the app to confirm it works. Now, whenever you log in, you will enter your password and then the current TOTP code.

What happens if I lose my phone with the authenticator app?

You will need backup codes that the service gave you during setup. These are one-time use codes that let you log in and disable the old TOTP configuration. If you do not have backup codes, you will need to contact the service's support and prove your identity to regain access.

Is TOTP the same as the code sent to my phone via text message?

No, they are completely different. TOTP is generated by an app on your phone using the device's clock. SMS codes are sent to you by the server over the mobile network. TOTP is more secure because it is not vulnerable to SIM swapping attacks.

Can a hacker steal my TOTP code?

If you are tricked by a phishing website, you might type your TOTP code into the fake site. The attacker can then use that code immediately. However, because the code changes every 30 seconds, the attacker has a very short window. Using a reputable authenticator app and being cautious about where you enter codes reduces this risk.

Why does my TOTP code sometimes not work even though I entered it quickly?

This usually happens if your phone's clock is not perfectly synchronized. Check that your phone is set to automatic date and time. If it is off by more than a minute or two, the codes will not match. Most servers allow a small drift of about 30 to 60 seconds to handle this, but a larger difference will cause failures.

Do I need internet access to see my TOTP code?

No, the TOTP code is generated locally on your device. The app only needs the current time and the secret key, both of which are stored on your phone. You can see the code even in airplane mode. You only need internet when you actually send the code to the server for login.

Is TOTP required for CompTIA Security+ certification?

The Security+ exam expects you to understand TOTP as a method of multi-factor authentication. You should know how it works, why it is more secure than SMS, and how it fits into authentication concepts. It is not a practical requirement for the exam, but it is a tested topic.

Can I use the same TOTP secret on multiple devices?

Yes, many services allow you to scan the same QR code into multiple authenticator apps. This is useful if you have a phone and a tablet. However, each device will generate the same codes because they share the same secret and see the same time. Simply repeat the setup process on each device.

Summary

A Time-based One-time Password, or TOTP, is a six-digit code that changes every 30 seconds and provides a second layer of security beyond a traditional password. It works by having the user's authenticator app and the authentication server independently compute the same code using a shared secret key and the current time. This simple mechanism makes it extremely resistant to replay attacks because any stolen code is useless after a few seconds.

For IT professionals, TOTP is a foundational component of multi-factor authentication, offering a cost-effective and secure way to protect user accounts across VPNs, cloud services, and local systems. On CompTIA A+ and Security+ exams, you will encounter TOTP in scenario questions that test your ability to choose the right authentication method, troubleshoot common issues like clock drift, and understand its advantages over SMS-based codes. The key takeaways for exams are that TOTP is a something you have factor, it requires time synchronization, it has a 30-second validity window with a small tolerance, and it is a locally generated code that does not depend on network connectivity.

By mastering these points, you will be well prepared for both certification exams and real-world security administration tasks.