TOTP

TOTP (Time-based One-Time Password) is the algorithm behind Google Authenticator, Authy, 1Password’s TOTP feature, and most software-based 2FA. Defined in RFC 6238 (2011).

How it works: at enrollment, the server and the authenticator app exchange a shared secret (typically a 160-bit value encoded as a base32 string or QR code). To generate the current OTP, both sides:

1. Take the current Unix time, divided by the period (default 30 seconds), rounded down.
2. Compute HMAC-SHA1 of that counter using the shared secret.
3. Truncate to 6 digits.

Both sides produce the same code without communicating. The 30-second window plus a ±1-window tolerance handles clock drift. The shared secret never leaves the device after enrollment.

TOTP is enormously better than SMS OTP (no SIM-swap exposure) but doesn’t defeat phishing on its own — an attacker who phishes the current code can replay it within the window. WebAuthn / passkeys are the next-generation answer.