Hungry for knowledge? Check out the blog for articles written by our experts.

The use of TOTP in two-factor authentication (2FA)

What is 2FA?

2FA (Two-Factor Authentication), or more broadly, MFA (Multi-Factor Authentication), is a method of authentication that employs two or more factors.

By authentication, we imply the process of verifying that a user is who they claim to be. The most common way to achieve this is by using a login and password. However, these security measures are often insufficient, and an additional component is required.

2FA/MFA authentication follows the principle that the user must “know something” (know the password) and “have something” (possess physical access to an additional security measure). In many cases, another factor in the form of “being something/someone” (in the case of biometric security) is also added.

Why should you use 2FA?

As the number of IT hacks continues to rise, it is crucial to keep your data safe. However, standard login and password solutions do not provide an adequate level of security due to their vulnerability to hacking and interception.

There are several methods by which attackers can obtain login credentials. Brute-force methods can be used to crack weak passwords. Credentials can also be intercepted through phishing or by exploiting password leaks. Social engineering methods are also commonly used to gain unauthorized access. These are just a few examples of the many ways in which credentials can be compromised.

The use of 2FA (two-factor authentication) can significantly increase the level of security. This means that a person trying to gain access to a system must not only know the login and password but also have access to an additional device that the user has. Introducing an extra layer of authentication greatly reduces the likelihood of a successful attack.

Types of 2FA

Two-factor authentication (2FA) can be implemented in multiple ways. SMS, email, TOTP, and U2F are the most commonly used methods.

SMS is the most popular method, where the user receives an additional code to confirm the login process. However, some people may feel uncomfortable sharing their phone numbers.

 Email verification is similar to SMS but less secure, as mailboxes are more prone to hacking.

TOTP uses codes generated by algorithms based on the current time. These codes are generated in third-party applications and do not require users to share their phone numbers. However, the user must have access to the device on which the codes are generated.

U2F is the most secure method. It uses an external hardware key called Universal 2nd Factor (U2F) for authentication. However, this method incurs additional costs, as the user must have a physical token.

How does TOTP work?

The TOTP (Time-Based One-Time Password) algorithm generates access codes that can be used only once, using the current time as the base. A detailed description is described in a separate article. Because its principle is precisely known and defined by the relevant standard (RFC 6238), it has been implemented in many independent applications that generate access codes.

To use this authentication method, a user must install one of these applications, such as Google Authenticator or Authy, on their device, such as a smartphone. It’s essential to note that these apps can secure many different services, generating separate access codes for each.

The most common implementation of 2FA using TOTP involves generating a QR code in the secured service, which is then scanned by an application that implements TOTP, such as Google Authenticator. The app generates a new code every specified time, typically 30 seconds, which must be entered when logging in. The entire process is straightforward and fast.

Are you looking for a contractor who puts code quality first?

We invite you to a free consultation – we will talk and see if we can help.

Additional security codes are displayed during setup and should be saved in case the code-generating device is lost.

An essential feature of this solution is that it works offline without connection to the secured service. The secured service knows what value to expect at a given moment based on the TOTP algorithm and the current time, eliminating the possibility of intercepting the code sent to the user.

TOTP is an excellent compromise between security, convenience, and cost. U2F is a safer option, but it requires a dongle.

Is TOTP more secure than SMS?

SMS verification is a widely used method for two-factor authentication. It is popular because users can use it easily without additional actions except providing their phone number. However, is SMS verification a secure solution compared to TOTP?

In the case of TOTP, the verification code is calculated directly on the user’s device, eliminating the possibility of interception. However, in SMS verification, the verification code is sent through the body of the message so it can be intercepted. The independent communication channel in SMS does increase security but does not protect against SMS interception, which can happen in a few different ways. For example, it can be done through a duplicate SIM card or third-party applications that the user might unknowingly install.

The SS7 protocol used in telecommunications networks is also weak in SMS verification. It was created in the 1980s and is not designed for safety-related applications, making it vulnerable to potential attacks.

In comparison, TOTP is more secure because the code is not sent to the user, but instead calculated on their device. However, both methods are vulnerable to phishing attacks when the user enters the code into the service they try to log in.

Many users feel uncomfortable giving out their phone numbers to services they don’t fully trust, which can lead to them not using the service. By implementing 2FA with TOTP, this inconvenience can be eliminated. Additionally, implementing 2FA with SMS increases the cost of maintaining the service due to the additional fees for sending messages, while TOTP reduces subsequent maintenance costs.


Implementing Two-Factor Authentication (2FA) on a website using Time-Based One-Time Password (TOTP) significantly increases the security level of users without incurring additional costs.

This type of authentication can be applied to most services without generating extra expenses associated with the operation of SMS gateways.

Data security is crucial for every business. Before you decide on the authentication mechanisms for your application, it’s recommended to consult with security experts.

We offer a free consultation to determine the best 2FA solutions for your needs. Don’t leave your data vulnerable to attacks.

{You may also like}