Time-Based One-Time Passwords (TOTP): Benefits and Use Cases

Multi-factor authentication (MFA) has been one of the greatest leaps forwards in user-level cybersecurity since it gained popularity in the 2000s. The fact is that passwords are flawed by design. They are hard for humans to remember but easy for computers to crack, especially when they are reused. 

Time-based one-time passwords (TOTP), those codes you get by SMS to confirm that indeed the authorized person typed in the password, are one of the most common forms of MFA.

Here’s why you should always turn on time-based one-time password MFA and how the right password manager can make this easy for teams. 

TeamPassword features an integrated TOTP authenticator, so teams can share accounts protected by MFA. 

What are time-based one-time passwords (TOTP)?

Here’s a basic definition of time-based one-time passwords:

TOTP: Time-based one-time passwords (TOTP) are a dynamic, time-sensitive authentication step that adds another layer of security to your accounts. 

Unless you use a password generator to create unique, strong, random passwords, they are at risk of being cracked by computers or socially engineered. If you’ve used the same password for many accounts, then those cracked credentials could mean hackers getting into more of your accounts. 

Two-factor authentication (TFA) methods including TOTP provide an added level of security. By sending an SMS code to your phone (or even better, an authenticator app), the website can confirm that the authorized user is the one who inputted the credentials. 

TOTP vs. OTP

While one-time passwords (OTP) and time-based one-time passwords (TOTP) are similar, they aren’t the same thing. OTP are another form of 2FA as well as a special authentication step while signing up for a new account to confirm details.

As part of signing up for an account, OTP can help you confirm that your mobile number or email address were entered correctly. As an ongoing two-factor authentication step, they have some serious shortcomings compared to authenticator app- or password manager-based TOTP systems. 

That’s because someone who has gained access to your email account or managed to swap your SIM card can intercept your OTP and then gain access to your account. Despite these known issues, many high-security websites, including banks, continue to use SIM- or email-based OTP authentication systems.

How do TOTP work?

TOTP work by sending a confirmatory code after a username and password have been used on an app. These codes, typically six-digit numbers, although longer and more complicated alphanumeric TOTP are also in use, are sent to an authenticator app.

Authenticator apps constantly regenerate new TOTP, and users only have 30 seconds to punch in the number before it resets to a new one. In this way, even if a user’s credentials have been stolen and the hackers manage to gain access to their TOTP by vishing or social engineering, they only have 30 seconds to access the account before the security perimeter is reestablished. 

These codes work by combining the server time of the device with a shared secret key. Essentially both the authenticator app and the server of the app have the same secret key, so a specific code will be accepted for each period of time, typically 30 seconds. 

When the TOTP presented to the user in the authenticator app is inputted into the MFA, the server can then check whether that is the expected code for that slice of time to authenticate or deny the user.

How can you set up TOTP in TeamPassword?

Setting up TOTP in TeamPassword is an easy four-step process:

1. Create or edit a record: If you are creating a new record with TOTP, then use create. If you are adding TOTP to an existing account, then use edit. 

2. Locate the TOTP secret key: Secret keys are very long alphanumeric codes that the server and authenticator app use to calculate the same code from the current time. It is typically found near the QR code you need to scan to set up MFA for your account. Instead of scanning the QR code to use the authenticator app, you copy the code into TeamPassword to use the built-in authenticator. 

3. Enter the TOTP secret key in TeamPassword: Find the field labeled Auth Secret (TOTP) in the record and paste the secret key into this field.

4. Save the Record: Once the record is saved, TeamPassword will generate the current TOTP code for you. This makes it easy to share TOTP with team members, so all users have access to the account without jeopardizing the security of your credentials. 

What are the benefits and use cases of time-based one-time passwords? 

Enabling TOTP reduces the risks associated with static passwords by providing an additional layer of protection, as well as less secure MFA options like OTP. Organizations across various industries implement TOTP for secure access to systems, applications, and sensitive data.

Here are some of the common benefits of TOTP:

• Enhanced security: TOTP minimizes the risk of unauthorized access by requiring a dynamically generated password that expires after a short period. Unlike static passwords, these temporary codes cannot be reused or easily stolen.

• Reduced phishing risk: Since the generated code is valid only for a limited time, phishing attacks become less effective. Even if an attacker obtains a code, it is unlikely to remain valid long enough for unauthorized use.

• Offline functionality: Unlike SMS-based authentication, TOTP does not require an Internet or cellular connection. Users can generate codes using an authentication app, making it a reliable option in environments with limited connectivity.

• No reliance on external providers: TOTP is not dependent on mobile carriers or third-party services like SMS or email for code delivery. This eliminates risks associated with service outages, delays, or interception of messages.

• Compatibility with multiple platforms: TOTP is an industry-standard authentication method supported by many services, including cloud applications, banking platforms, and enterprise systems. Its widespread adoption ensures easy integration into existing security frameworks.

• Scalability for organizations: Businesses can deploy TOTP at scale without significant infrastructure costs. It is a cost-effective authentication method for securing employee accounts, customer portals, and sensitive internal systems.

• Regulatory compliance: Many industries require multi-factor authentication to meet security and privacy regulations. Implementing TOTP helps organizations comply with standards such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and PCI-DSS (Payment Card Industry Data Security Standard).

• User convenience: TOTP provides a balance between security and usability. Users can authenticate quickly without needing additional hardware beyond a smartphone or token device.

• Mitigation of credential leaks: Even if a password database is compromised, TOTP ensures that attackers cannot log in without the time-sensitive code. This limits the effectiveness of credential-stuffing attacks.

Here are some common TOTP use cases:

• Securing employee access to enterprise systems: Organizations implement TOTP to protect internal tools such as email, cloud storage, and project management platforms. Employees must enter a time-sensitive code from an authentication app, reducing the risk of unauthorized access due to compromised passwords.

• Enhancing online security: High-risk organizations like financial institutions use TOTP as a second authentication factor for customer logins and transactions. For example, before transferring funds or accessing sensitive account details, bank users must input a one-time password, adding an extra layer of protection against fraud and account takeovers.

• Protecting customer accounts on digital platforms: E-commerce, social media, and cloud service providers offer TOTP as a two-factor authentication (2FA) option. This ensures that even if a primary password is leaked, attackers cannot access accounts without the time-based code. If you are building your own customer-facing tool, consider TOTP instead of other MFA options. 

TeamPassword’s TOTP help secure businesses without added friction

MFA is an important feature for keeping accounts secure. However, for businesses that use password managers, OTP and TOTP have become an added friction for team members trying to login. It can also add vulnerabilities when these codes are shared over less private tools like texts or in a Slack group channel.

TeamPassword has a built-in TOTP authenticator, allowing teams to enable this best-in-class MFA option without the added step of sharing codes directly. 

TeamPassword makes it easy for all team members to use MFA. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.