Auth & identity
September 1, 2022
Author: Reed McGinley-Stempel
Time-based one-time passcodes (TOTP) are a type of multi-factor authentication (MFA) that leverages software authenticator apps (e.g. Google Authenticator, Authy, Microsoft Authenticator) to verify your identity. These authenticator apps supply a randomly generated code that changes every 30 seconds.
Time-based One-time Passcodes are generated using a shared secret (a random string of characters) and the current time.
The TOTP algorithm uses that shared secret to generate a 6-digit time-based code that expires every 30 seconds. The shared secret is used to generate the code on the user’s device as well as stored securely on the server. When a user needs to authenticate to an application, the user enters their code from their device and the server validates the code against its stored secret. If the code matches, the user is authenticated.
When you want to log into a site or service that uses TOTP, you complete your first method of authentication (e.g. password, sign in with Google, magic links, etc.) as usual. Then, you open your authenticator app and enter the code that is displayed. This proves that you have possession of your device and gives the application strong evidence that you are who you say you are.
While SMS one-time passcodes (OTPs) are the most common form of multi-factor authentication today, TOTP (time-based one-time passcodes) are an important two-factor authentication option that can be used in situations where you need higher security assurance than SMS verification can provide.
SMS OTP is familiar and convenient for users, but there are certain security weaknesses. SMS OTP is more vulnerable to SIM swapping attacks, where a fraudster who has stolen a user’s phone number can route messages to their own device and intercept the code. TOTP is not vulnerable to this type of attack, as the authenticator app is tied to the user’s device rather than their phone number.
SIM swapping attacks are relatively rare (compared to other account attacks like credential stuffing) due to the effort and cost involved in executing it successfully – it typically involves either bribing employees at a telecommunication company or fabricating identity documents to impersonate the true owner of the phone number at a live branch.
TOTP authentication solutions are ideal for particularly sensitive use cases that are also highly attractive to attackers in terms of the potential payoff they offer – think money movement in fintech or cryptocurrency spaces or access to a company’s HR or payroll information. But even if a company’s use case isn’t particularly sensitive, TOTP can be a good option for organizations that prefer a higher assurance level for their MFA and 2FA. Many tech-savvy users also prefer TOTP over SMS OTP for MFA for important accounts due the heightened security.
Ultimately, the best type of security is security that users will actually use, which is why it’s important to offer multiple MFA options to increase the likelihood that a user enrolls in MFA.
There are many different MFA options you can offer users with SMS, TOTP, biometrics, and hardware keys being the most popular ones. Each of these methods has its own advantages and disadvantages, which is another reason it’s important to offer multiple forms of MFA to your users. You can read more about these individual authentication options in our guide to passwordless authentication.
With Stytch, developers can embed MFA, including TOTP, into their authentication flows in minutes rather than months. Stytch’s TOTP solution is designed to be used with any mobile authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy. Check out our TOTP integration guide to get started.