Authentication: TOTP

Let’s make one thing perfectly clear…


  • OTP = One-Time Password
  • TOTP = Time-based One-Time Password

As discussed in the Two-Step Verification post, OTP sends the one-time password to the user’s mobile phone via SMS or to the user’s email address.

TOTP, on the other hand, uses a local app on the mobile device to generate a pass-code.


If we look at the factors for an app using a password and TOTP code, we see that it is something you know and something you have.


When a user registers a mobile device, they receive a key (either as a QR code or as a character string to be entered manually).  This key becomes the something you have.


That key gets stored on the mobile device and in the back-end infrastructure.

The mobile app takes uses an industry standard algorithm with the key and current time as parameters, resulting in a 6 digit code lasting for 30 seconds. The back-end infrastructure uses the same algorithm with the same key and current time, generating an identical code.


A few things to consider with TOTP:

  1. DO NOT take a screenshot of your actual QR code or key and place in a blog, PowerPoint or user manual. Because that key is the something you know, if others get it, they now have one of your authentication factors. Try for yourself. If you scan the QR code with a TOTP app from Citrix, Microsoft, Google and others, you will get a token, but that token is for a test user that no longer exists and the key was deleted from the back-end system.
  2. Because this uses a key stored on the mobile device, the mobile device does not require connectivity to obtain a key. With OTP, the user must either have SMS connectivity or access to email.

If you want to see how TOTP works in a Citrix Workspace environment, take a look at the following Tech Insight video:

Authentication Blog Series: 

Daniel (Twitter @djfeller)

2 thoughts on “Authentication: TOTP”

  1. You can also produce time-based one time passwords using hardware tokens. The principle is the same as when using an app, but the tokens are pre-seeded (no registration stage) and produce the code on an integral LCD display.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.