time-based one-time password

What is a time-based one-time password?

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.

Time-based one-time passwords are commonly used for two-factor authentication (2FA) and have seen growing adoption by cloud application providers.

Why are TOTPs important?

Time-based one-time passwords provide additional security. Even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly.

How does a TOTP work?

2FA is a common method for verifying the identity of users. It authenticates users based on two conditions: something they know and something they have. For example, when users log into their bank accounts with their username and password, an SMS message or email with a random code will be sent for them to input into the banking service prior to logging them in. The username and password are known to the user, and the random code is sent to a device the user owns.

Image of a one-time password on a phone.
A user inputs a time-based one-time password to verify their identity.

TOTPs typically expire after 30, 60, 120 or 240 seconds.

Various methods are available for users to receive time-based one-time passwords, including the following:

  • hardware security tokens that display the password on a small screen;
  • mobile authenticator apps, such as Google Authenticator;
  • text messages sent from a centralized server;
  • email messages sent from a centralized server; and
  • voice messages sent from a centralized server.

What's the difference between time-based and non-time-based OTPs?

Time-based algorithms use the time -- along with a shared secret or token -- to generate a password. Non-time-based algorithms start with a seed value and use hash functions to generate passwords.

After the initial password is generated, the prior password is used as input to generate the next password.

TOTP is an approved standard of the Internet Engineering Task Force (IETF).

Other OTP standards include the S/KEY One-Time Password System (RFC 1760), One-Time Password System (RFC 2289) and the HMAC-Based One-Time Password Algorithm (RFC 4226).

This article was written by Colin Steele in 2019. TechTarget editors revised it in 2022 to improve the reader experience.

This was last updated in November 2022

Continue Reading About time-based one-time password

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing