What is a Time-based One-time Password (TOTP)?

Using complex passwords has become the best practice. In the past, this type of password was a good solution to account security. Using long passphrases is a better option than complex passwords, but there are two other solutions much more secure. One of the most frequently used is TOTP or Time-based One-time Password. This is different than a one-time password or PIN because you can use it more than once.

In this post, we’ll discuss what TOTP is, how it works, the advantages as well as the disadvantages of a time-based one-time password.

Defining Terms

Before we define what TOTP is, we must first discuss two-factor authentication (2FA) since a time-based one-time password is a form of 2FA.

Two-factor authentication (2FA) requires the user to provide two different kinds of identification when logging in to a computer system or to an account online. Factor is a means for the user to convince the online service or computer system of their identity. The system can then determine if the user has the right to access the information they have requested.

The most common authentication factor is the combination of a password and a username. Single-factor authentication is used for security because accounts are accessible with just a password. Two-factor authentication, meanwhile, is different because the user must provide their password in addition to proving their identity to be granted access.

A time-based one-time password or TOTP, as we mentioned, a form of 2FA. An algorithm generates a temporary passcode that uses the current time of day as one of its authentication factors. 

Cloud application providers use this type of passcode for two-factor authentication. Normally, the temporary passcode generated expires after 30, 60, 120, or 240 seconds.  

TOTP in Action

Two-factor authentification verifies the user’s identity. User requires two different factors in order to gain access: something the user has and something they know. A good example is a user logging into their bank account with their password and username. An email or SMS message will be sent containing a random code. This code enables the user to log into the banking system.

The user knows their password and username and receives a random code through their device. There are a variety of methods to send a user a time-based one-time password such as:

  • The password is displayed on the screen as a hardware security token
  • A centralized server sends text messages
  • A centralized server sends voice messages
  • Mobile authenticator apps including Google Authenticator
  • A centralized server sends email messages

Why Use TOTP

Two-factor authentication is recommended because of major data breaches. This has placed millions of passwords and email addresses pairs up for sale through the dark web. The unfortunate result is less secure passwords. The majority of people reuse their passwords for numerous accounts and sites. Hackers simply use known passwords and email addresses pairs for multiple websites until they receive access.

On the other hand, with TOTP, the user needs to enter their static password in addition to a time-based one-time password to receive approval for accessing the information on a computing system. TOTP provides an extra layer of security.

TOTP provides additional security because if the user’s password is compromised or stolen, the attacker requires the TOTP to gain access. Since this password expires quickly, the attacker is denied access. Time-based one-time passwords are approved by the IETF or the Internet Engineering Task Force.

Industries Using TOTP

The majority of businesses have a computer system requiring their users to log in. Since TOTP improves security, it can be effective for almost every industry including:

  • Automotive
  • Accounting
  • Cloud application providers
  • Engineering
  • Website developers
  • Precious metals
  • Retail services

Never compromise security
for convenience, choose both!

Advantages of Time-Based One-Time Password

Aside from the obvious, which is adding an extra layer of protection, below are the reasons to use TOTP:

Inexpensive Implementation

Organizations frequently use a time-based one-time password due to the accessibility. The majority of authentification apps generating these tokens either charge a small fee or are completely free. As a result, regardless of the size of an organization, the identity of users can be secured.


Organizations need not install new hardware for the IT resources of the users. All the user needs is an authentication app on their phone, laptop, or desktop. The majority of app providers have 2FA available for all of these devices to enable users to select the best option for their individual needs.

Improved Access

When the user accesses the system or application for the first time, the token generator remembers and stores user information.

Because of this, users do not require cellular service or WiFi to acquire their codes. New codes are constantly generated for these resources.


All an organization requires for enforcing time-based one-time passwords is the right provider. This enables the organization to scale for all of its IT resources including a wide range of applications, file servers, diversified systems, and networks.

Disadvantages of TOTP

Required User Device

The only way a user can receive their code is if they have an authenticator app ready. The user might not be able to access IT resources if they do not have their phone or the battery in their device dies. A lot of web applications offer alternates to receive codes. If the user is unable to secure a token from an authenticator app, these alternates are often available.

Secret Key

A secret key is shared between the server and the authentication app. If this secret key is cloned, valid codes can be generated resulting in the user’s account being accessed.

Quick Expiration

The user may need to enter multiple codes in an attempt to log in before the expiration of their code. The extra time necessary can result in an account lockout if the user makes too many login attempts.

Ways Attackers Get Around TOTP Authentication

Below are some scenarios when cybercriminals get around TOTP authentication:

  • When online hackers access a user’s account, they are also able to access other accounts with the same user.
  • The user’s account can be accessed if the initial site is breached or the password of the user is exposed due to a third-party breach resulting from reusing credentials for numerous different sites.
  • The company must trust the app when an organization uses TOTP for authenticator application. If the app does not store the secret keys securely or follow proper procedures, it can result in poor security.
  • A time-based one-time password is not as susceptible to social engineering as many of the other types of multi-factor authentication. Despite this, users can be tricked into providing criminals with access.

When the user’s token is pursued by an attacker, timing is incredibly important. The attacker will try to log into the account using a valid credential. This is often a password the user recycled after a previous breach. The attacker then attempts to trick the user into revealing their token.

The Bottomline

Teamstack offers important features including MFA or multi-factor authentication as support for extremely popular methods including:

  • WebAuthn for Windows Hellow for Windows, TouchID for Mac and FID02
  • The TOTP Google Authenticator
  • SMS codes

Leave a Reply

Your email address will not be published. Required fields are marked *