What is TOTP and how does it actually work?

A plain-language walkthrough of RFC 6238: the shared secret, the time step, HMAC-SHA1, and the truncation that turns a hash into 6 digits.

The shared secret

When you scan a QR code from a service, you copy a short string of random bytes into your authenticator. That string — encoded in Base32 — is the only piece of data both sides need to keep in sync.

The time step

TOTP slices wall-clock time into 30-second windows. Both the server and your authenticator round the current Unix time down to the nearest 30 seconds, so they agree on a counter even without ever talking to each other.

HMAC-SHA1 and truncation

The counter is hashed with HMAC-SHA1 using the secret as the key. RFC 4226's dynamic truncation picks 4 bytes from that hash, reduces them mod 10⁶, and you get 6 digits.

← Back to all posts

Last updated: June 26, 2026