SecurityTOTPMFACybersecurity

How Multi-Factor Authentication Works: Under the Hood of TOTP

Time-based One-Time Passwords secure accounts without internet access. Learn how the shared secret and server clocks work, and why TOTP outperforms SMS authentication.

BuiltItDev Team·May 30, 2026·8 min read
How Multi-Factor Authentication Works: Under the Hood of TOTP

What is TOTP?

Passwords alone are no longer enough. Multi-factor authentication (MFA) has become a security standard. One of the most common MFA methods is the Time-based One-Time Password (TOTP) protocol.

When you log into an account, you open an app like Google Authenticator or Microsoft Authenticator, and copy a 6-digit code that changes every 30 seconds.

But how does this code change without the app connecting to the internet? How does the server know exactly what code is on your phone? Let's look under the hood of TOTP security.

How TOTP Works: The Shared Secret and the Clock

The entire TOTP protocol relies on two inputs: a **shared secret key** and the **current time**.

  1. The Shared Secret — When you first scan a 2FA QR code, your authenticator app reads a base32 encoded string (the secret). The server stores this secret key in its database, linked to your user account.
  2. The Time Step — TOTP divides time into 30-second intervals (steps). The number of 30-second steps since the Unix Epoch (January 1, 1970) serves as a counter.
  3. The HMAC Algorithm — Both the app and the server feed the secret key and the current counter into the HMAC-SHA1 hashing algorithm. The resulting hash is truncated to produce the final 6-digit verification code.

Because both your phone and the server have synchronized clocks and share the same secret key, they generate the exact same code independently.

Time Sync is Essential
If your phone's internal clock is out of sync by even 15 seconds, the generated TOTP code will fail verification on the server. Most systems support a "window" of one step before/after to account for clock drift.

Why TOTP is Superior to SMS 2FA

Many platforms offer two-factor authentication via SMS text messages. However, SMS is highly vulnerable to:

  • SIM Swapping — Hackers trick your carrier into routing your phone number to their SIM card, letting them intercept your codes.
  • Phishing — SMS messages can be intercepted or redirected in transit.
  • Network dependency — You cannot receive SMS codes if you don't have cell service.

TOTP runs entirely locally in your app. It does not send or receive any network packets, making it immune to SIM swapping and usable even when you are completely offline.

Audit and Generate Your Credentials

To test base32 secret keys and generate TOTP codes right in your browser, check out our offline-safe TOTP Generator.

Securing your account starts with a strong password. You can test your password strength and calculate how long it would take a hacker to crack it using our Password Strength Checker, or build a strong, secure credential instantly using the Password Generator.

Try it free

TOTP Code Generator

Generate time-based OTP codes (Google Authenticator compatible).

Use Tool →

Password Strength Checker

Analyse password entropy, crack time and strength score instantly.

Use Tool →

Password Generator

Generate strong, random passwords with custom rules.

Use Tool →
← Back to all articles