docs
authentication

TOTP Authentication

Time-based One-Time Passwords (TOTP) bring bank-level security to your application, and you can try it out right here on this demo.

Bank-Level Security for Your App

Time-based One-Time Passwords are a simple yet highly effective way to enhance your account security. They’re the same 2FA method you might already use with your bank app—and guess what? You can have that level of security for your own application too.

How It Works

It relies on a shared secret key and the current timestamp to generate temporary codes. Here's a simplified technical breakdown:

  1. Shared Secret: When setting up TOTP, a unique secret key is generated and shared with the user's authenticator app via a QR code.
  2. Code Generation: Both the server and the app use the secret key and the current time (split into 30-second intervals by default) as input to a cryptographic hash function (HMAC).
  3. Time Sync: Since both sides are time-synchronized, they generate matching 6-digit codes that expire with each time interval.

The process is highly secure because:

  • Only the app and the server know the shared secret.
  • Codes change frequently, making them resistant to replay attacks .

For more technical details, check out the TOTP implementation guide .

Activating TOTP on This Demo

Once your account is activated, you’ll be prompted to enable one of three 2FA methods. Let’s focus on TOTP:

  1. Get an Authenticator App: Use your favorite app like Enpass, Google Authenticator, or Authy.
  2. Scan the QR Code: Link your account by scanning the QR code provided.
  3. Generate a 6-Digit Code: Your app will display a 6-digit code that refreshes every 30 seconds. (Fun fact: 30 seconds is a standard, but it could technically be any duration!)
  4. Confirm: Enter the code to activate TOTP.

Logging in with TOTP

When you log out and sign back in, your session will initially be valid but not fully authenticated until you provide the TOTP code. This second step ensures that even if someone has your password, they still can’t access your account without the authenticator app.

Adding Security to Critical Operations

TOTP isn’t just for logging in. You can use it to secure sensitive actions within your application:

  • Delicate Operations: Require a 2FA-authenticated session before users can perform actions like transferring funds, modifying settings, or accessing confidential data.
  • Temporary Escalation: TOTP ensures that higher privileges are only granted when the user is truly present and authenticated.

Why TOTP?

  • Convenience: Works with most popular authenticator apps.
  • Security: Protects against phishing and brute-force attacks.
  • Flexibility: Add extra security to critical workflows within your app.

Let’s implement TOTP to make your application as secure as a bank—and just as easy to use!

Email verification Passkeys