time-based one-time password (TOTP)

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers. In two-factor authentication scenarios, a user must enter a traditional, static password as well as a time-based one-time password to gain access to digital information or a computing system. Typically, the temporary passcode expires after 30, 60, 120 or 240 seconds.  

Two-factor authentication is a common method for verifying the identity of users. It authenticates users based on two conditions: something they know and something they have. For example, if a user logs into their bank account with their username and password, an SMS message or an email with a random code will be sent for the user to input into the banking service prior to logging in. The username and password are known to the user, and the random code is sent to a device the user owns.

There are various methods available for the user to receive a time-based one-time password, including:

  • hardware security tokens which display the password on a small screen;
  • mobile authenticator apps, such as Google Authenticator;
  • text messages sent from a centralized server;
  • email messages sent from a centralized server;
  • voice messages sent from a centralized server. 
What is a TOTP?

Time-based one-time passwords provide additional security, because even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly. TOTP is an approved standard of the Internet Engineering Task Force (IETF). 

Difference between time-based and non-time-based OTP

While time-based algorithms use the time (along with a shared secret or token) to generate a password,  non-time-based algorithms start with a seed value and use hash functions to generate passwords. After the initial password is generated, the prior password is used as input to generate the next password. Other OTP standards include the S/KEY One-Time Password System (RFC 1760), One-Time Password System (RFC 2289) and the HMAC-Based One-Time Password Algorithm.

This was last updated in July 2019

Continue Reading About time-based one-time password (TOTP)

Dig Deeper on Identity and access management