Skip to contentSkip to navigationSkip to topbar
Rate this page:
On this page

What is a Time-based One-time Password (TOTP)?


TOTP stands for Time-based One-Time Passwords and is a common form of two-factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm(link takes you to an external page) that uses the current time as an input. The time-based passwords are available offline and provide user-friendly, increased account security when used as a second factor.

Example TOTP accounts in Google Authenticator.

Example TOTP accounts in an authenticator app

TOTP is also known as app based authentication, software tokens, or soft tokens. Authentication apps like Authy(link takes you to an external page) and Google Authenticator support the TOTP standard.

Twilio's Verify API offers support for TOTP authentication in addition to SMS, voice(link takes you to an external page), email, and push channels. Get started with our TOTP sample application(link takes you to an external page) or step-by-step QuickStart.


One-time passwords for two factor authentication

one-time-passwords-for-two-factor-authentication page anchor

2FA adds an extra layer of account protection by requiring two types of authentication. This can be something a user knows, like a password, and something the user has, like a phone. One-time passwords, including TOTP, are a common possession or "something you have" factor and help increase the security of your users accounts.

A recent study(link takes you to an external page) about the usability of 2FA methods found that TOTP had the highest usability score of the various second factors tested. This tells us that TOTP is not only a viable method for authentication, but will be preferred by many users.

Authentication system usability scale (SUS) scores.

system usability scale (SUS) scores show TOTP is most usable


The TOTP algorithm follows an open standard documented in RFC 6238(link takes you to an external page). The inputs include a shared secret key and the system time. The diagram below shows how the two parties can separately calculate the passcode without internet connectivity.

TOTP algorithm diagram showing authenticator app and application infrastructure plus system time to create the same passcode.

The algorithm uses a form of symmetric key cryptography: the same key is used by both parties to generate and validate the token.


The inputs to the TOTP algorithm are device time and a stored secret key. Neither the inputs nor the calculation require internet connectivity to generate or verify a token. Therefore a user can access TOTP via an app like Authy(link takes you to an external page) while offline.

TOTP's offline support is ideal for users who might need to access their authentication while traveling abroad, on a plane, in a remote area, or otherwise without network connectivity.


While SMS is an ideal solution for 2FA adoption(link takes you to an external page) and ease of use, TOTP has several benefits including:

  • Offline support
  • PII-less registration
  • Standardized(link takes you to an external page) authentication solution
  • Software based, not dependent on carrier fees or telephony access and deliverability
  • Faster(link takes you to an external page) average time to authenticate
  • Increased security compared to SMS 2FA: the secret key input for TOTP is only shared once and the method does not rely on the telephony network, which helps reduce the attack surface. TOTP has stronger proof of possession than SMS, which can be legitimately accessed via multiple devices and may be susceptible to SIM swap attacks.

Most customers end up implementing multiple forms of 2FA, so their users can choose the channel that works best for them. Other channels Twilio Verify supports include push, voice, and email. This blog post(link takes you to an external page) takes a more detailed look at the security concerns of SMS 2FA.


HOTP stands for HMAC(link takes you to an external page)-based One-Time Password and is the original standard that TOTP was based on. Both methods use a secret key as one of the inputs, but while TOTP uses the system time for the other input, HOTP uses a counter, which increments with each new validation. With HOTP, both parties increment the counter and use that to compute the one-time password.

The HOTP standard is documented in RFC 4226(link takes you to an external page).

While HOTP is still used, consumer authenticator apps like Authy and Google Authenticator implement the TOTP standard.


Add TOTP authentication support with the Twilio Verify API

add-totp-authentication-support-with-the-twilio-verify-api page anchor

Here's the code to create a TOTP factor. Follow the TOTP Quickstart for more details about how to generate a QR code and validate tokens.

Create a new TOTP factor

create-a-new-totp-factor page anchor
Node.js
Python
C#
Java
Go
PHP
Ruby
twilio-cli
curl

_15
// Download the helper library from https://www.twilio.com/docs/node/install
_15
// Find your Account SID and Auth Token at twilio.com/console
_15
// and set the environment variables. See http://twil.io/secure
_15
const accountSid = process.env.TWILIO_ACCOUNT_SID;
_15
const authToken = process.env.TWILIO_AUTH_TOKEN;
_15
const client = require('twilio')(accountSid, authToken);
_15
_15
client.verify.v2.services('VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
_15
.entities('ff483d1ff591898a9942916050d2ca3f')
_15
.newFactors
_15
.create({
_15
friendlyName: `Taylor's Account Name`,
_15
factorType: 'totp'
_15
})
_15
.then(new_factor => console.log(new_factor.binding));

Output

_26
{
_26
"sid": "YFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_26
"account_sid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_26
"service_sid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_26
"entity_sid": "YEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
_26
"identity": "ff483d1ff591898a9942916050d2ca3f",
_26
"binding": {
_26
"alg": "ES256",
_26
"public_key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8GdwtibWe0kpgsFl6xPQBwhtwUEyeJkeozFmi2jiJDzxFSMwVy3kVR1h/dPVYOfgkC0EkfBRJ0J/6xW47FD5vA=="
_26
},
_26
"date_created": "2015-07-30T20:00:00Z",
_26
"date_updated": "2015-07-30T20:00:00Z",
_26
"friendly_name": "Taylor's Account Name",
_26
"status": "unverified",
_26
"factor_type": "totp",
_26
"config": {
_26
"sdk_version": "1.0",
_26
"app_id": "com.example.myapp",
_26
"notification_platform": "fcm",
_26
"notification_token": "test_token"
_26
},
_26
"metadata": {
_26
"os": "Android"
_26
},
_26
"url": "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Entities/ff483d1ff591898a9942916050d2ca3f/Factors/YFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
_26
}

Here is an example of a TOTP generated with the Verify API inside the Authy App. Tokens expire in 30 seconds by default, but you can change the expiration period when you create a Factor.

Example TOTP token in the Authy App showing that the token expires in 27 seconds.

How to protect your accounts with an authenticator app

how-to-protect-your-accounts-with-an-authenticator-app page anchor

Download the Authy app for iOS or Android(link takes you to an external page) and learn more about how to add authenticator app support on your favorite websites with Authy's 2FA guides(link takes you to an external page).


TOTP support through a consumer authenticator app is widely available, PII-less, and offers increased security. TOTP is a great solution for both providing a good user experience and strong authentication. Many companies now offer TOTP support as a step up from SMS based 2FA.

Check out these resources for more information on Twilio's APIs for multichannel user verification:


Rate this page: