Back to blog
2FA Basics10 minPublished 2026-03-17Reviewed 2026-04-08

What Is TOTP? How Time-Based Codes Work and Why They Expire

Learn what TOTP means, how authenticator codes are generated, and what usually causes mismatched or rejected codes.

what is TOTPTOTP generatortime-based one-time passwordauthenticator codes

Quick Summary

  • TOTP stands for Time-Based One-Time Password.
  • The code is generated from a shared secret and the current time, not from the internet.
  • Most code mismatches come from the wrong secret, missing QR settings, or clock drift.

Key Takeaways

  • TOTP is the protocol; apps like Google Authenticator are products that implement it.
  • Short expiry windows reduce how long an intercepted code stays useful.
  • Preserving the full QR payload matters because defaults are not universal.

TOTP in plain language

TOTP is a standard way to generate short-lived login codes from a secret key and the current time. The service and your authenticator app both know the same secret, so they independently arrive at the same code for the same moment.

That is why TOTP does not require internet to create a code. Once the secret is stored locally, the device clock and the algorithm are enough.

How it differs from SMS and HOTP

SMS depends on your phone number and carrier network. TOTP does not. HOTP uses a counter instead of time, which is why TOTP is generally more convenient for modern authenticator apps.

For everyday users, the biggest advantage is reliability when you are offline or traveling.

What is inside the QR code

Authenticator QR codes usually contain an otpauth:// URL. That URL includes the secret plus metadata such as issuer, digit length, period, and algorithm.

Thin guides often tell users to save only the secret, but compatibility can break if a tool ignores non-default settings.

Why codes stop matching

Most TOTP failures are operational rather than cryptographic. The usual causes are a mismatched secret, lost QR settings during manual entry, or a device clock that is off.

A practical troubleshooting flow is to compare secrets first, then QR settings, then the system clock.

Users often waste time reinstalling apps before checking those basics. In practice, a careful comparison of the QR payload usually resolves the issue faster than resetting 2FA from scratch.

A useful habit is to test one fresh code in a new 30-second window after each change. That gives you a cleaner signal about whether the secret, settings, or time sync problem has actually been fixed.

For teams and careful individual users, keeping one known-good reference QR or encrypted backup note can also reduce future troubleshooting time because it gives you a clean baseline to compare against.

  • Wrong secret or Base32 typo
  • Clock drift on phone or desktop
  • Custom digits, period, or algorithm not preserved
  • Comparing codes from different 30-second windows

Comparison Table

The most common TOTP questions during setup and recovery.

QuestionShort answerWhat to check next
Do I need internet to generate a code?NoCheck the device clock instead
Can two apps show the same code?YesThey must use the same secret and settings
Why does the code expire quickly?Short time windows are part of the designWait for the next window and compare again
Why is my code rejected?Usually secret, settings, or time mismatchInspect the QR payload and the system clock

FAQ

Is TOTP the same as Google Authenticator?

No. TOTP is the open standard. Google Authenticator is one app that implements it.

Can TOTP work without internet?

Yes. TOTP codes are generated from the shared secret and your local device clock.

Why does my code refresh before I finish typing it?

Most services use 30-second windows, so the code changes frequently by design.

Keep Exploring

Continue with the 2FA generator, inspect an authenticator setup in the QR decoder, or browse related guides below.