If you are interested in finding out how time-based one-time password (TOTP) algorithm works, you have come to the right place. Understanding how TOTP works will allow you to better understand algorithms. When you look at examples of different algorithm implementations, it will open up your mind.

Basic Overview

Before we dive deep into how TOTP algorithm works, it is important that you have a basic understanding of what it is. TOTP algorithm creates passwords for the apps you see. A combination of a secret key and current time are used for generating the passcode. It is due to this reason that the passcodes always expire within just a few seconds.

If you are someone who has set up these apps on you own, you would know how you had to scan a QR code along the way. It was the transfer of the secret key to the secure keychain storage of your device. The fact is that the algorithm is agnostic of your phone model, cellular network provider, or SIM card. It explains why the authentication code is sent to users by text. Therefore, it should be clear that the algorithm only considers the shared secret key and the current time.

A unique secret code is generated for your user account whenever you create a new account for a service which supports TOTP. The next time you log in, the website would use the same algorithm for generate the passcode. The user would be authenticated if the passcode the user enters matches the one generated by the server for the two-factor authentication process.

Algorithm Overview

Now that we have looked at the basic overview of TOTP to help you understand what it is, it is time to go through the algorithm itself. The easiest way to understand the concepts is by going through the code. Let’s take a look at what needs to be done for implementing a TOTP service. A foundational algorithm known as HMAC-based One-time Password (HOTP) algorithm is used for building TOTP. Therefore, you need to know HMAC (Hash-Based Message Authentication Code). It is an algorithm that is used for the following to generate a unique time-based authentication code.

  • A counter property (for keeping both the user and server TOTP processes in sync)
  • A secret crypto key
  • A crypto hash function

There is no need to worry if you still do not understand the distinction between TOTP and HOTP. The counter property is what differentiates TOTP and HOTP implementations. Generally, HOTP has a counter that is event-driven such as a button press for changing the counter value. As for TOTP, the counter value would be based according to the current timestamp. A counter will need to be created from the timestamp. Time since epoch can be used for avoiding additional complexity as it is agnostic to time zones. Number of TX intervals are needed as input for the HOTP algorithm. The purpose of the calculation is to determine how many TX intervals are away from UNIX epoch.


The following swift code will help guide you.

  • Let secret Key = “digital bunker”
  • Let counter = “63283546”
  • Let HMAC Result: String = secret Key. HMAC (algorithm: .SHA1, counter: counter)

The HMAC Result would equal to the value of the hashed. Next, you will need to convert the hashed value into hexadecimal string.

Since we cannot ask the user to type the value every time for authentication, there is a need for finding an easier way to represent the 6 digit code. It will prove to be user-friendly. Thus, the hashed value would need to be converted into a shorter code using dynamic truncation. If you do not know what dynamic truncation is, it involves using the lower 4 bits of the hexadecimal string as an offset of the string for creating a 6 digit code that is still secure. Since the last byte would be 3d, the last 4 bits would belong to the hexadecimal value. Then, you will need to grab the next 4 bytes.

Each bit operation is part of the dynamic truncation process. These manipulations are essential for finding a 6 digit code which is as secure as can be. Then, the last byte will have to be converted to give the decimal value. Since only a 6 digit code is required, the last 6 digits can be provided to the user. Lastly, the server would perform the exact same sequence of steps to check the current 30-second interval and the next one for accounting for a clock drift. The user would only be authenticated if their code matches the server’s code. Otherwise, the user would not be granted access.


After you have gone over the post, you will gain a better understanding of how TOTP algorithm works. Both TOTP and HOPT are well-respected algorithms. However, they do come with their limitations. As you might already know, TOTP values can be phished just like any other password. But, the attacker would first need to steal the credentials in real-time. If you are concerned about this, you can simply shorten the TTL. Typically, the standard TTL’s of TOTP codes is 10 to 30 seconds. It accounts for latency, user usability, and unsynchronized clocks. It is up to you to tweak the TTL for suiting your needs. In case, the attacker manages to find the shared secret key, they would be able to create the TOTP codes.

The post only scratches the surface, the moment you actually work on the TOTP algorithm, you will learn about its nuances. If you found the content to be useful, bookmark the page and share it with others. We hope that you can take the insights to create the algorithm on your own. Make sure to test it and make changes to ensure that it is truly useful. The final results will leave you satisfied. There is no reason for you to think that you cannot work on the algorithm.