Time-based one-time password

As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

Through the collaboration of several OATH members, a TOTP draft was developed in order to create an industry-backed standard.

It complements the event-based one-time standard HOTP, and it offers end user organizations and enterprises more choice in selecting technologies that best fit their application requirements and security guidelines.

Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.

Due to the short window in which TOTP codes are valid, attackers must proxy the credentials in real time.