Time-Based One-Time Password (TOTP)
TOTP is a software-based OTP that generates codes at regular time intervals, typically 30 seconds, using a shared secret and the current time. Authenticator apps like Google Authenticator and Microsoft Authenticator generate TOTP codes without requiring a server connection.
# WHAT TEAMS RUN INTO
- —
TOTP is vulnerable to clock skew. If the user's device clock is out of sync with the authentication server, valid codes are rejected, creating authentication failures.
- —
TOTP secrets must be backed up or the user is locked out. If a user loses the device running their authenticator app, they lose access to all TOTP-protected accounts unless recovery codes were saved.
- —
TOTP implementations don't always throttle invalid attempts. Users and attackers can submit multiple codes in a single time window, and some implementations don't prevent brute force attacks.
# WHY IT MATTERS
TOTP is the most practical second factor for mass deployment — it requires no SMS infrastructure, works offline, and creates no server dependency for code generation. But TOTP security depends on protecting the shared secret and on users backing up recovery codes. Many users never do either, creating a false sense of security.