What Is TOTP? How Time-Based Codes Work and Why They Expire
Learn what TOTP means, how authenticator codes are generated, and what usually causes mismatched or rejected codes.
Quick Summary
- TOTP stands for Time-Based One-Time Password.
- The code is generated from a shared secret and the current time, not from the internet.
- Most code mismatches come from the wrong secret, missing QR settings, or clock drift.
Key Takeaways
- TOTP is the protocol; apps like Google Authenticator are products that implement it.
- Short expiry windows reduce how long an intercepted code stays useful.
- Preserving the full QR payload matters because defaults are not universal.
TOTP in plain language
TOTP is a standard way to generate short-lived login codes from a secret key and the current time. The service and your authenticator app both know the same secret, so they independently arrive at the same code for the same moment.
That is why TOTP does not require internet to create a code. Once the secret is stored locally, the device clock and the algorithm are enough.
How it differs from SMS and HOTP
SMS depends on your phone number and carrier network. TOTP does not. HOTP uses a counter instead of time, which is why TOTP is generally more convenient for modern authenticator apps.
For everyday users, the biggest advantage is reliability when you are offline or traveling.
What is inside the QR code
Authenticator QR codes usually contain an otpauth:// URL. That URL includes the secret plus metadata such as issuer, digit length, period, and algorithm.
Thin guides often tell users to save only the secret, but compatibility can break if a tool ignores non-default settings.
Why codes stop matching
Most TOTP failures are operational rather than cryptographic. The usual causes are a mismatched secret, lost QR settings during manual entry, or a device clock that is off.
A practical troubleshooting flow is to compare secrets first, then QR settings, then the system clock.
Users often waste time reinstalling apps before checking those basics. In practice, a careful comparison of the QR payload usually resolves the issue faster than resetting 2FA from scratch.
A useful habit is to test one fresh code in a new 30-second window after each change. That gives you a cleaner signal about whether the secret, settings, or time sync problem has actually been fixed.
For teams and careful individual users, keeping one known-good reference QR or encrypted backup note can also reduce future troubleshooting time because it gives you a clean baseline to compare against.
- Wrong secret or Base32 typo
- Clock drift on phone or desktop
- Custom digits, period, or algorithm not preserved
- Comparing codes from different 30-second windows
Comparison Table
The most common TOTP questions during setup and recovery.
| Question | Short answer | What to check next |
|---|---|---|
| Do I need internet to generate a code? | No | Check the device clock instead |
| Can two apps show the same code? | Yes | They must use the same secret and settings |
| Why does the code expire quickly? | Short time windows are part of the design | Wait for the next window and compare again |
| Why is my code rejected? | Usually secret, settings, or time mismatch | Inspect the QR payload and the system clock |
FAQ
Is TOTP the same as Google Authenticator?
No. TOTP is the open standard. Google Authenticator is one app that implements it.
Can TOTP work without internet?
Yes. TOTP codes are generated from the shared secret and your local device clock.
Why does my code refresh before I finish typing it?
Most services use 30-second windows, so the code changes frequently by design.
Keep Exploring
Continue with the 2FA generator, inspect an authenticator setup in the QR decoder, or browse related guides below.