Cybersecurity 101back-iconWhat is Time-based OTP (TOTP)?

What is Time-based OTP (TOTP)?

Time-based OTP (TOTP) is a one-time authentication code generated from a shared secret and the current time.

A time based otp is commonly used as part of two-factor authentication after a password. Instead of sending a code by SMS, an authenticator app or hardware token calculates a short numeric code that is valid only for a brief window, usually around 30 seconds.

How does it work?

During setup, the service and the authenticator receive the same secret, often through a QR code. When the user signs in, the authenticator combines that secret with the current time step, runs a cryptographic calculation, and displays a code.

The service performs the same calculation and compares the submitted code with its expected value. To avoid unnecessary lockouts, it may accept codes from a small neighboring time window, but expired codes should not remain valid indefinitely.

TOTP component What it does
Shared secret Links the user’s authenticator with the service during enrollment.
Time step Defines when a code changes and how long it remains usable.
Verification window Allows limited clock tolerance while rejecting old or invalid codes.

TOTP vs HOTP

HOTP also creates one-time passwords from a shared secret, but it advances with an event counter, such as a button press or login attempt. TOTP advances with time, which makes stale codes expire automatically.

For most workforce logins, TOTP is easier to operate than counter-based OTP because users do not need token resynchronization as often. However, it is not the same as phishing-resistant MFA; a fake login page can still capture a current code if the user enters it.

How Hexnode supports Time-based OTP (TOTP)

Hexnode does not replace an identity provider or authenticator service. It supports time based otp adoption by helping organizations manage the endpoints that users rely on for secure access.

With Hexnode UEM, IT teams can deploy approved authenticator apps, enforce passcode and encryption policies, monitor device compliance, restrict risky device behavior, and take remote actions such as lock or wipe on lost devices. This strengthens the device layer around MFA, Zero Trust, and authentication-related policies.

When should organizations use it?

Organizations should use time based otp when passwords alone create too much account takeover risk, especially for cloud apps, VPNs, admin consoles, financial systems, and remote workforce access.

It is a practical baseline for broad multi-factor authentication because it is inexpensive, familiar, and works without cellular delivery. For privileged accounts, highly targeted users, or regulated workflows, pair it with conditional access, managed endpoints, and stronger options such as passkeys or security keys where available.

FAQs

A code should not be accepted after its validity window. Some systems also track recently used codes to reduce replay risk within the same window.

Usually, yes. TOTP is generated locally and avoids SIM-swap and carrier interception risks, but it can still be phished or exposed on compromised devices.

Common causes include clock drift, the wrong account seed, restored authenticator apps without secrets, device replacement, or an enrollment reset by IT.