Skip to content

Time-Based One-Time Password

TOTP.

A six-or-eight-digit code generated by an authenticator app that rotates every 30 seconds, derived from a shared secret and the current time per RFC 6238.

TOTP was standardized in RFC 6238 (2011) and widely adopted as the TOTP algorithm replacing the older HOTP. In 2026 TOTP remains the most common form of "real" MFA, it clears AAL2 thresholds, has no carrier-network exposure, and works offline. The phishability via AitM proxies is the reason teams aiming for the strongest security migrate users from TOTP to passkeys; for the broad middle, TOTP plus password is still a meaningful improvement over password alone.

Go deeper: TOTP codes are an HMAC-SHA1 construction; SHA-1: legacy applications and migration strategies explains where SHA-1 is still safe and where it is not.

Common questions

Is TOTP secure enough for MFA in 2026?

How does TOTP differ from SMS OTP?

Why does my TOTP code stop working after 30 seconds?

Related terms

In the guides

Last updated 2026-05-06.