TOTP Implementation Guide for Developers
How to implement Time-based One-Time Passwords (TOTP) in web applications — RFC 6238 explained.
Published:
Tags: TOTP implementation guide, implement 2FA TOTP, RFC 6238 TOTP
TOTP Implementation Guide for Developers TOTP generates time-synchronized one-time passwords by computing HMAC-SHA1 of the current 30-second time window with the user's shared secret, then extracting 6 digits via dynamic truncation. --- How TOTP Works: The Algorithm? TOTP extends HOTP (HMAC-based OTP, RFC 4226) by replacing the HOTP counter with a time counter: . Step 1: Calculate the time counter For timestamp 1712000000: T = floor(1712000000 / 30) = 57066666 Step 2: Compute HMAC-SHA1 The result is a 20-byte (160-bit) hash. Step 3: Dynamic truncation Step 4: Extract 6 digits How do I use Implementation in Python? How do I use Implementation in Node.js? What about Setting Up TOTP for a New User? The setup flow involves provisioning a secret and displaying a QR code: The URI scheme is the…
Frequently Asked Questions
What is TOTP?
TOTP (Time-based One-Time Password) is a two-factor authentication algorithm defined in RFC 6238. It generates a 6-digit code that changes every 30 seconds based on the current time and a shared secret. The code is valid only for the current 30-second window (plus tolerance for clock drift). It's the algorithm behind Google Authenticator, Authy, and most authenticator apps.
How does TOTP work?
TOTP computes HMAC-SHA1 of the current time step (floor(unix_seconds / 30)) using the user's secret key. It then extracts 4 bytes from the HMAC output using dynamic truncation and takes modulo 10^6 to get a 6-digit code. The authenticator app and the server independently compute the same TOTP from the shared secret and current time — they match only if the secrets match and clocks are in sync.
What is RFC 6238?
RFC 6238 is the IETF standard defining TOTP (Time-based One-Time Password Algorithm), published in May 2011. It extends RFC 4226 (HOTP) by using the current Unix timestamp divided by the time step (30 seconds) as the counter, instead of an incrementing counter. RFC 6238 specifies the algorithm, time step (default 30s), HMAC algorithm (SHA-1 or SHA-256/512), and output length (default 6 digits).
How do I implement TOTP in JavaScript?
Use the HMAC-SHA1 algorithm with the time-step counter as the message and the user's Base32-decoded secret as the key. Libraries like otplib (Node.js) or otpauth (browser/Node.js) implement the full RFC 6238 spec including Base32 decoding, HMAC computation, dynamic truncation, and clock drift tolerance. Implement from scratch only if you understand the full RFC.
How does Google Authenticator generate codes?
Google Authenticator implements RFC 6238 TOTP using HMAC-SHA1 with a 30-second time step and 6-digit output. It stores the Base32-encoded shared secret for each account, computes the time step from the current device clock, and calculates the TOTP. The 6-digit code changes every 30 seconds. The app and server must have synchronized clocks — Authenticator accounts for ±1 step (30s) of clock drift.
All articles · theproductguy.in