Definition

What is a time-based one-time password?

Colin Steele
By
Published: Jun 02, 2025

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.

Time-based one-time passwords are commonly used for two-factor authentication (2FA), providing a second authentication factor that works for a limited amount of time.

Why are TOTPs important?

TOTPs provide additional account security. If a user's traditional password is stolen or compromised, an attacker cannot gain account access without the TOTP, which expires quickly.

How does a TOTP work?

2FA is a common authentication method for verifying users' identities. It authenticates users based on two conditions: something they know and something they have. For example, when users log into their bank accounts with their username and password, an SMS message or email with a random code is sent for them to input into the banking service prior to logging them in. The username and password are known to the user, and the random code is sent to a device the user owns.

TOTPs typically expire after 30 or 60 seconds.

Image of a user entering a time-based one-time password to access their account.
A user inputs a time-based one-time password to verify their identity.

Various methods for users to receive time-based one-time passwords include the following:

  • Hardware security tokens that display the password on a small screen.
  • Mobile authenticator apps, such as Google Authenticator.
  • Text messages sent from a centralized server.
  • Email messages sent from a centralized server.
  • Voice messages sent from a centralized server.

TOTPs can be generated offline when using a mobile authenticator app or a hardware security token. This is ideal for authenticating users with limited internet access.

What's the difference between time-based and non-time-based OTPs?

Time-based algorithms use the time -- along with a shared secret or token -- to generate a password. Non-time-based algorithms start with a seed value and use hash functions to generate passwords.

After the initial password is generated, the prior password is used as input to generate the next password.

TOTP is an approved standard (RFC 6238) of the Internet Engineering Task Force (IETF). Other OTP standards include the S/KEY One-Time Password System (RFC 1760), One-Time Password System (RFC 2289) and the HMAC-Based One-Time Password Algorithm (RFC 4226).

Editor's note: Informa TechTarget editors revised this article in 2025 to improve the reader experience.

Continue Reading About What is a time-based one-time password?

Dig Deeper on Identity and access management