To complete transactions, businesses often require customers to share sensitive information, such as credit card numbers, addresses, or any other type of personally identifiable information (PII). However, every business knows that failing to protect customer data can result in becoming the subject of scathing headlines about data breaches and irresponsible data stewardship.
In order to protect customer information, more and more businesses are adopting some form of two-factor authentication (2FA). Requiring users—whether they’re employees or customers—to verify their identity in multiple ways helps keep sensitive information safe from attack and theft.
One of the most popular methods of 2FA is a time-based one-time password (TOTP). TOTPs generate a unique password for each login attempt. Unlike a non-time-based password, a TOTP is only valid for a short period of time.
By combining a secret key with the current time, the TOTP algorithm generates a unique password that can be used only once. This password, which changes every 30 seconds or so, is typically generated using an app on a smartphone or a hardware token. When a user logs in to a website or service that requires a TOTP, they enter the current one-time password along with their regular login credentials to complete the authentication process.
Why are TOTPs important?
Traditional passwords are susceptible to hacking attempts. If a hacker gains access to a user's login credentials, they can easily log in to the user's account and access their sensitive information, such as personal data or financial information.
TOTPs are designed to prevent unauthorized access to a user’s account even if a hacker has obtained their login credentials. Using TOTPs requires a hacker to have access to the user's TOTP device to generate a valid one-time password—in addition to their login credentials. Considering that the TOTP changes every 30 seconds, the possibility for a hacker to intercept it is very small.
Leveraging this extra layer of security helps protect users’ accounts and sensitive information from unauthorized access and data breaches.
How do TOTPs work?
To generate a unique, constantly changing password TOTPs rely on dynamic code that changes based on the current time. The full process typically follows the steps below:
1. The user sets up TOTP on their device
Setup can involve the user accessing a dedicated hardware token or installing a TOTP app on their smartphone or tablet. Leveraging a solution like the Uniqode Best QR Generator can ensure that the QR codes used during setup are generated securely and accurately, facilitating a smoother setup experience. During setup, the user scans a QR code or enters a secret key provided by the service they’re logging into.
2. The TOTP app generates a one-time password
Once TOTP is set up, the user opens the app to generate a one-time password. This password is based on the current time and a shared secret key between the user and the service they’re logging into.
3. The user enters the one-time password
The user then enters the one-time password along with their regular login credentials to complete the authentication process.
4. The service verifies the one-time password
The service verifies that the one-time password provided by the user is valid by generating the same password using the same shared secret key and the current time. If the password matches, the user is granted access to their account.
5. The one-time password expires
The one-time password generated by the TOTP app is only valid for a short period of time. After this time period, the password expires and a new one must be generated to complete the next login attempt.
By requiring users to leverage TOTP’s multi-step process, businesses can add an additional layer of security to their online accounts, protecting themselves and their customers. In a digital era where nearly 800,000 people get hacked every year, making it much more difficult for hackers to gain unauthorized access to your accounts is a smart move.
How are TOTPs different from other forms of verification?
The time-based factor is the main differentiator between TOTP and other forms of verification. However, it’s not the only method for adding extra security to your accounts. Below, we’ll look at other forms of verification and how they differ from TOTPs.
Non-time-based OTPs
Non-time-based OTPs (one-time passwords) are another form of 2FA that generates a unique password valid for only one login attempt. Unlike TOTPs, they don’t rely on the current time to generate the password. However, they still use a shared secret key between the user and the service they’re logging into to generate the one-time password.
Non-time-based OTPs are less common than TOTPs because they’re generally considered to be less secure. They’re especially vulnerable to attacks such as replay attacks, where a hacker intercepts and re-uses a previously generated one-time password. Since TOTPs change frequently, they’re less susceptible to such attacks.
SMS 2FA
SMS 2FA uses a mobile phone to provide an additional layer of security to the traditional username and password login process. SMS 2FA requires the user to provide a one-time code sent to their mobile phone via text message in addition to their regular login credentials to gain access to their account.
SMS 2FA makes it more difficult for hackers to gain unauthorized access to the user's account. However, it’s considered less secure than other forms of 2FA because text messages can be intercepted or redirected by attackers, and some SIM cards can be hacked. As a result, many services are moving away from SMS 2FA in favor of more secure options such as TOTP or hardware tokens.
Hash-based one-time password (HOTP)
HOTP (HMAC-based one-time password) is another type of OTP algorithm that predates TOTP. Instead of using the current time as the input to the algorithm, HOTP uses a shared secret key and a counter value that increments each time the password is used. For example, if a user logs into a system for the third time, the OTP generator will provide password three, and so on.
Some applications still use HOTP, particularly those where network connectivity is limited. However, TOTP is more common and is generally considered to be more secure because the passwords change based on the current time, rather than incrementing counter values that could potentially be compromised.
Make sure your customers’ information is secure
Being unable to prevent a data breach is a surefire way to lose customers. Requiring customers or employees to use 2FA puts one more obstacle in the way of bad actors, keeping your data safe.
While it should be difficult for hackers to break into your data vaults, it shouldn’t be difficult for your business to set up and manage 2FA. Telnyx’s Verify API makes it easy to send 2FA codes over SMS, voice, and flash calls. With our extensive developer documentation and SDKs, your business can navigate our APIs with minimal resources, get to market faster, and safeguard sensitive data.
Talk to our team of experts to learn how your business can benefit from Verify API to keep your data safe.
FAQ
What is a time-based one-time password (TOTP)?
A TOTP is a temporary code generated from a shared secret and the current time, as outlined in this guide to time-based one-time passwords. It adds a second verification factor to reduce account takeover risk.
How does a TOTP generate codes?
An authenticator app combines your secret key with the current time in short intervals, typically 30 seconds, to create a 6 or 8 digit code. The server performs the same calculation and accepts the code if the clocks align within a small window.
Is TOTP more secure than SMS OTP?
App-based TOTP is generally safer because it is not exposed to SIM swap or SS7 network attacks, a difference explained in this two-factor authentication overview. You should still secure the device, protect the secret, and keep recovery options handy.
How do I get a one-time password?
Services send OTPs via SMS, email, voice, or generate them in an authenticator app once you enable two-factor authentication. Start the login or verification flow and the service will deliver the code to your registered method.
How do I set up a TOTP authenticator on my account?
Most providers let you enable 2FA, scan a QR code with an authenticator app, and confirm a 6 digit code, following a flow similar to the TOTP setup process used in Mission Control. Save recovery codes and enroll a backup device to avoid lockouts.
What if I lose my phone or delete my TOTP app?
Use your printed backup codes or a secondary enrolled device to regain access, then re-enroll a new authenticator. If you have neither, contact the service’s support team, verify your identity, and revoke the lost device.
What is an app-based one-time password, and how does it compare to hardware tokens?
App-based OTPs are software tokens on your phone, while hardware tokens are dedicated physical devices, a distinction covered in this comparison of hard tokens versus soft tokens. Both can use TOTP, but apps are easier to deploy at scale and hardware can meet higher assurance or offline requirements.
Share on Social
Sign up for emails of our latest articles and news
Related articles