TOTP
TOTP
ELI5 — The Vibe Check
TOTP (Time-based One-Time Password) is the 6-digit code that changes every 30 seconds in apps like Google Authenticator. It uses a shared secret and the current time to generate a code. Even if someone sees your code, it expires in 30 seconds and a new one takes its place.
Real Talk
TOTP (Time-based One-Time Password) is an algorithm (RFC 6238) that generates short-lived passwords from a shared secret and the current timestamp. Both the server and the authenticator app independently compute the same code. It's a common second factor in MFA implementations.
Show Me The Code
// Generating a TOTP secret with speakeasy
import speakeasy from 'speakeasy';
// On setup:
const secret = speakeasy.generateSecret({ length: 20 });
// Store secret.base32 for the user
// Show secret.otpauth_url as QR code
// On verification:
const verified = speakeasy.totp.verify({
secret: user.totpSecret,
encoding: 'base32',
token: userProvidedCode,
window: 1,
});
When You'll Hear This
"Scan the QR code in your TOTP app." / "The TOTP code is only valid for 30 seconds."
Related Terms
2FA (2FA)
2FA is short for Two-Factor Authentication. Two locks instead of one. Password plus a code from your phone (or a hardware key).
Authentication (AuthN)
Authentication is proving you are who you say you are.
Biometric
Biometric authentication uses your body as your password — fingerprint, face, iris scan.
MFA (MFA)
MFA stands for Multi-Factor Authentication. It's the umbrella term for requiring multiple proofs of identity. 2FA is MFA with exactly two factors.