Time-Based One-Time Passwords (TOTP)

Advertisement

Time-Based One-Time Passwords (TOTP) are one of the best methods used for two-factor authentication.

You are going to see:

What are Time-Based One-Time Passwords (TOTP)? What are Time-Based One-Time Passwords (TOTP)?

Time-Based One-Time Passwords (TOTP) are something similar to Email codes.

In Email codes, we get an email with the security code which we need to use while authenticating.

The TOTP is also the same but we don’t get any emails.

It uses the time-based OTP approach in which each minute it generates a new number with the help of the IETF RFC6238 algorithm.

First, see how to use it.

At the end of this article, I’ll explain how it works.

Top ↑

How to enable TOTP? How to enable TOTP?

There are a couple of different plugins available to enable the Two factors on your website.

In this article, I’m using the Two-factor WordPress beta plugin which is developed by Plugin Contributors.

Step 1: Install the Two-Factor WordPress plugin Step 1: Install the Two-Factor WordPress plugin

  • Go to Plugins > Add new
  • Search for Two Factor
  • Click on the Install Now button from the plugin which is developed by Plugin Contributors.
Time-Based One-Time Passwords (TOTP) 1
Search for “Two Factor”

Top ↑

Step 2: Enable the Two-Factor for the WordPress user Step 2: Enable the Two-Factor for the WordPress user

The two factors you need to enable for the user.

For each user, you can enable different two-factor options.

I have logged in to my WordPress site so, I’m enabling two-factor on my own profile

Enable for current/logged-in user Enable for current/logged-in user

To enable the two-factor for the logged-in user you can:

  • Go to Users > Profile
  • Scroll to “Two-Factor Options” settings
Time-Based One-Time Passwords (TOTP) 2
Time-Based One-Time Passwords (TOTP) 16

Top ↑

Enable two-factor for different user Enable two-factor for different user

Suppose you want to enable the two-factor for different users.

Time-Based One-Time Passwords (TOTP) 3
All Users

Here, I have two users.

I want to enable the two-factor for Chris user.

Time-Based One-Time Passwords (TOTP) 4
Edit user

On edit user, you can see the same screen as the recent one.

Top ↑

How to use TOTP? How to use TOTP?

To enable the TOTP to follow below steps:

Step 1: Tick the checkbox “Time Based One-Time Password (TOTP)

Time-Based One-Time Passwords (TOTP) 5
Tick the TOTP checkbox

Step 2: Install the Google Authenticator mobile app

I’m using the Google Authenticator mobile app. You can use any other authenticator mobile app.

Step 3: Click on the + (plus) button below:

Time-Based One-Time Passwords (TOTP) 6
Time-Based One-Time Passwords (TOTP) 17

Step 3: Click on Scan a QR code

Time-Based One-Time Passwords (TOTP) 7
Scan a QR code

Step 4: After the QR code scan you’ll see the 6-digit code

You need to enter that code into the WordPress dashboard input box:

Time-Based One-Time Passwords (TOTP) 8
Enter the Authentication code

And click on Submit button

The page will refresh and you’ll see:

Time-Based One-Time Passwords (TOTP) 9
TOTP enabled for WordPress user

Now, The TOTP is enabled for the user.

Top ↑

How to test whether the TOTP is working or not? How to test whether the TOTP is working or not?

To test the TOTP, follow the below steps:

Step 1: Logout to the WordPress

Time-Based One-Time Passwords (TOTP) 10
Logout the user

NOTE: I have enabled the two factors for the current user so, I need to log out to show how it will work. It’s the same process for other users.

Step 2: Go to the login page and enter your username/email and password

Time-Based One-Time Passwords (TOTP) 11
Log in to the WordPress website

Step 3: If you enter the valid login details then you see the next screen:

Time-Based One-Time Passwords (TOTP) 12
Add Authentication Code

Here, You need to enter the Authentication Code.

From where?

You can get it from the Google Authenticator mobile app.

We had set up the TOTP in Google Authenticator.

Step 4: Open the Google Authenticator mobile app and you’ll see the 6-digit number which auto-generates for every minute

Time-Based One-Time Passwords (TOTP) 13
Added the code

After clicking on Authenticate button you’ll redirect to the WordPress dashboard.

Time-Based One-Time Passwords (TOTP) 14
WordPress dashboard after successful login

If you enter the wrong code then you’ll see:

Time-Based One-Time Passwords (TOTP) 15
Error: Invalid verification code

Top ↑

How does TOTP work? How does TOTP work?

Each time when you log in to the WordPress website then you will get the 2nd screen which asks for the TOTP.

You need to enter the valid TOTP to log in to your website.

It means your website credentials are not enough to log in to your website.

TOTP adds another additional layer to protect your WordPress website.

The TOTP uses the IETF RFC6238 algorithm which is based on time.

In this article when we enable the TOTP that time we see the QR code.

The QR code was generated at that exact LINUX time.

When we scan that QR code then it stores that time in our Google Authenticator app

The Google Authenticator app uses an algorithm that generates a new 6-digit code every single minute.

The Two-factor uses the same algorithm. While login into the website it validates the entered code with the same algorithm.

This is the most effective and safe way to use Two-factor.


Below are some questions asked by our users:

Top ↑

What is a TOTP authenticator app? What is a TOTP authenticator app?

TOTP is a two-factor authentication way to secure your website by adding and an additional layer.

Top ↑

Is Google Authenticator a TOTP? Is Google Authenticator a TOTP?

Yes. Google Authenticator is a mobile app that uses the IETF RFC6238 algorithm to generate a new code for every minute.

Top ↑

Is TOTP the same as 2FA? Is TOTP the same as 2FA?

Yes. TOTP is one of the 2FA or 2-Factor or Two-Factor authentication ways to secure your website.

Top ↑

What is the difference between OTP and TOTP? What is the difference between OTP and TOTP?

OTP is a one-time password generated by the server and is shipped either with email, or mobile SMS for validation.

TOTP is also a one-time password but that uses the IETF RFC6238 algorithm.

Top ↑

Why is TOTP better than SMS? Why is TOTP better than SMS?

TOTP is better than SMS because it doesn’t use any platform. It uses time-based OTP which not required any 3rd party services like Email or SMS.

Top ↑

Where can I get TOTP? Where can I get TOTP?

You can get a TOTP on the Authenticator mobile app or website. E.g. Google Authenticator is a mobile app that shows you the TOTP after configuring the TOTP.

Top ↑

Is TOTP mandatory? Is TOTP mandatory?

The TOTP is a way to secure your website by asking the TOTP while login in. It completely depends on the site you are using.

Most of the sites make the TOTP mandatory like GitHub.

Top ↑

How do I enable TOTP on Google Authenticator? How do I enable TOTP on Google Authenticator?

Follow the above steps from this article to enable the TOTP on Google Authenticator mobile application.

Top ↑

How long is the TOTP code valid? How long is the TOTP code valid?

The TOTP is valid for 30 to 90 seconds.