What is a time-based one-time password (TOTP)?

To complete transactions, businesses often require customers to share sensitive information, such as credit card numbers, addresses, or any other type of personally identifiable information (PII). However, every business knows that failing to protect customer data can result in becoming the subject of scathing headlines about data breaches and irresponsible data stewardship.

In order to protect customer information, more and more businesses are adopting some form of two-factor authentication (2FA). Requiring users—whether they’re employees or customers—to verify their identity in multiple ways helps keep sensitive information safe from attack and theft.

One of the most popular methods of 2FA is a time-based one-time password (TOTP). TOTPs generate a unique password for each login attempt. Unlike a non-time-based password, a TOTP is only valid for a short period of time.

By combining a secret key with the current time, the TOTP algorithm generates a unique password that can be used only once. This password, which changes every 30 seconds or so, is typically generated using an app on a smartphone or a hardware token. When a user logs in to a website or service that requires a TOTP, they enter the current one-time password along with their regular login credentials to complete the authentication process.

Why are TOTPs important?

Traditional passwords are susceptible to hacking attempts. If a hacker gains access to a user's login credentials, they can easily log in to the user's account and access their sensitive information, such as personal data or financial information.

TOTPs are designed to prevent unauthorized access to a user’s account even if a hacker has obtained their login credentials. Using TOTPs requires a hacker to have access to the user's TOTP device to generate a valid one-time password—in addition to their login credentials. Considering that the TOTP changes every 30 seconds, the possibility for a hacker to intercept it is very small.

Leveraging this extra layer of security helps protect users’ accounts and sensitive information from unauthorized access and data breaches.

How do TOTPs work?

To generate a unique, constantly changing password TOTPs rely on dynamic code that changes based on the current time. The full process typically follows the steps below:

1. The user sets up TOTP on their device

Setup can involve the user accessing a dedicated hardware token or installing a TOTP app on their smartphone or tablet. During setup, the user scans a QR code or enters a secret key provided by the service they’re logging into.

2. The TOTP app generates a one-time password

Once TOTP is set up, the user opens the app to generate a one-time password. This password is based on the current time and a shared secret key between the user and the service they’re logging into.

3. The user enters the one-time password

The user then enters the one-time password along with their regular login credentials to complete the authentication process.

4. The service verifies the one-time password

The service verifies that the one-time password provided by the user is valid by generating the same password using the same shared secret key and the current time. If the password matches, the user is granted access to their account.

5. The one-time password expires

The one-time password generated by the TOTP app is only valid for a short period of time. After this time period, the password expires and a new one must be generated to complete the next login attempt.

By requiring users to leverage TOTP’s multi-step process, businesses can add an additional layer of security to their online accounts, protecting themselves and their customers. In a digital era where nearly 800,000 people get hacked every year, making it much more difficult for hackers to gain unauthorized access to your accounts is a smart move.

How are TOTPs different from other forms of verification?

The time-based factor is the main differentiator between TOTP and other forms of verification. However, it’s not the only method for adding extra security to your accounts. Below, we’ll look at other forms of verification and how they differ from TOTPs.

Non-time-based OTPs

Non-time-based OTPs (one-time passwords) are another form of 2FA that generates a unique password valid for only one login attempt. Unlike TOTPs, they don’t rely on the current time to generate the password. However, they still use a shared secret key between the user and the service they’re logging into to generate the one-time password.

Non-time-based OTPs are less common than TOTPs because they’re generally considered to be less secure. They’re especially vulnerable to attacks such as replay attacks, where a hacker intercepts and re-uses a previously generated one-time password. Since TOTPs change frequently, they’re less susceptible to such attacks.

SMS 2FA

SMS 2FA uses a mobile phone to provide an additional layer of security to the traditional username and password login process. SMS 2FA requires the user to provide a one-time code sent to their mobile phone via text message in addition to their regular login credentials to gain access to their account.

SMS 2FA makes it more difficult for hackers to gain unauthorized access to the user's account. However, it’s considered less secure than other forms of 2FA because text messages can be intercepted or redirected by attackers, and some SIM cards can be hacked. As a result, many services are moving away from SMS 2FA in favor of more secure options such as TOTP or hardware tokens.

Hash-based one-time password (HOTP)

HOTP (HMAC-based one-time password) is another type of OTP algorithm that predates TOTP. Instead of using the current time as the input to the algorithm, HOTP uses a shared secret key and a counter value that increments each time the password is used. For example, if a user logs into a system for the third time, the OTP generator will provide password three, and so on.

Some applications still use HOTP, particularly those where network connectivity is limited. However, TOTP is more common and is generally considered to be more secure because the passwords change based on the current time, rather than incrementing counter values that could potentially be compromised.

Make sure your customers’ information is secure

Being unable to prevent a data breach is a surefire way to lose customers. Requiring customers or employees to use 2FA puts one more obstacle in the way of bad actors, keeping your data safe.

While it should be difficult for hackers to break into your data vaults, it shouldn’t be difficult for your business to set up and manage 2FA. Telnyx’s Verify API makes it easy to send 2FA codes over SMS, voice, and flash calls. With our extensive developer documentation and SDKs, your business can navigate our APIs with minimal resources, get to market faster, and safeguard sensitive data.

Talk to our team of experts to learn how your business can benefit from Verify API to keep your data safe.