Authentication & Identity

TOTP

Time-based One-Time Password (TOTP) is an MFA mechanism that generates a 6-digit code using a shared secret and the current time, rotating every 30 seconds. It is standardized in RFC 6238 and supported by apps like Google Authenticator, Authy, and 1Password. TOTP codes are more secure than SMS-based OTPs as they don't traverse the cellular network. However, TOTP is still susceptible to real-time phishing attacks that relay the code to the attacker.

Why it matters for your website

1Directly impacts resistance to account takeover and credential theft
2Required for SOC 2, HIPAA, and PCI-DSS compliance
3Misconfiguration can expose all user accounts to attack

Check your site for TOTP issues

Run a free scan to see if your domain has any TOTP-related vulnerabilities or misconfigurations.

Related Terms

MFA
WebAuthn
Passkeys

Browse Glossary

View all 85 terms

Free Security Scan

See your SSL, headers, CORS, DNS, and email security score in seconds.