Time-Based One-Time Passwords (TOTP) are one of the best methods used for two-factor authentication.
You are going to see:
- What are Time-Based One-Time Passwords (TOTP)?
- How to enable TOTP?
What are Time-Based One-Time Passwords (TOTP)? What are Time-Based One-Time Passwords (TOTP)?
Time-Based One-Time Passwords (TOTP) are something similar to Email codes.
In Email codes, we get an email with the security code which we need to use while authenticating.
The TOTP is also the same but we don’t get any emails.
It uses the time-based OTP approach in which each minute it generates a new number with the help of the IETF RFC6238 algorithm.
First, see how to use it.
At the end of this article, I’ll explain how it works.
How to enable TOTP? How to enable TOTP?
There are a couple of different plugins available to enable the Two factors on your website.
Step 1: Install the Two-Factor WordPress plugin Step 1: Install the Two-Factor WordPress plugin
- Go to
- Search for Two Factor
- Click on the Install Now button from the plugin which is developed by Plugin Contributors.
Step 2: Enable the Two-Factor for the WordPress user Step 2: Enable the Two-Factor for the WordPress user
The two factors you need to enable for the user.
For each user, you can enable different two-factor options.
I have logged in to my WordPress site so, I’m enabling two-factor on my own profile
Enable for current/logged-in user Enable for current/logged-in user
To enable the two-factor for the logged-in user you can:
- Go to
- Scroll to “Two-Factor Options” settings
Enable two-factor for different user Enable two-factor for different user
Suppose you want to enable the two-factor for different users.
Here, I have two users.
I want to enable the two-factor for Chris user.
On edit user, you can see the same screen as the recent one.
How to use TOTP? How to use TOTP?
To enable the TOTP to follow below steps:
Step 1: Tick the checkbox “Time Based One-Time Password (TOTP)“
Step 2: Install the Google Authenticator mobile app
I’m using the Google Authenticator mobile app. You can use any other authenticator mobile app.
Step 3: Click on the + (plus) button below:
Step 3: Click on
Scan a QR code
Step 4: After the QR code scan you’ll see the 6-digit code
You need to enter that code into the WordPress dashboard input box:
And click on Submit button
The page will refresh and you’ll see:
Now, The TOTP is enabled for the user.
How to test whether the TOTP is working or not? How to test whether the TOTP is working or not?
To test the TOTP, follow the below steps:
Step 1: Logout to the WordPress
NOTE: I have enabled the two factors for the current user so, I need to log out to show how it will work. It’s the same process for other users.
Step 2: Go to the login page and enter your username/email and password
Step 3: If you enter the valid login details then you see the next screen:
Here, You need to enter the Authentication Code.
You can get it from the Google Authenticator mobile app.
We had set up the TOTP in Google Authenticator.
Step 4: Open the Google Authenticator mobile app and you’ll see the 6-digit number which auto-generates for every minute
After clicking on Authenticate button you’ll redirect to the WordPress dashboard.
If you enter the wrong code then you’ll see:
How does TOTP work? How does TOTP work?
Each time when you log in to the WordPress website then you will get the 2nd screen which asks for the TOTP.
You need to enter the valid TOTP to log in to your website.
It means your website credentials are not enough to log in to your website.
TOTP adds another additional layer to protect your WordPress website.
The TOTP uses the IETF RFC6238 algorithm which is based on time.
In this article when we enable the TOTP that time we see the QR code.
The QR code was generated at that exact LINUX time.
When we scan that QR code then it stores that time in our Google Authenticator app
The Google Authenticator app uses an algorithm that generates a new 6-digit code every single minute.
The Two-factor uses the same algorithm. While login into the website it validates the entered code with the same algorithm.
This is the most effective and safe way to use Two-factor.
Below are some questions asked by our users:
What is a TOTP authenticator app?
TOTP is a two-factor authentication way to secure your website by adding and an additional layer.
Is Google Authenticator a TOTP?
Yes. Google Authenticator is a mobile app that uses the IETF RFC6238 algorithm to generate a new code for every minute.
Is TOTP the same as 2FA?
Yes. TOTP is one of the 2FA or 2-Factor or Two-Factor authentication ways to secure your website.
What is the difference between OTP and TOTP?
OTP is a one-time password generated by the server and is shipped either with email, or mobile SMS for validation.
TOTP is also a one-time password but that uses the IETF RFC6238 algorithm.
Why is TOTP better than SMS?
TOTP is better than SMS because it doesn’t use any platform. It uses time-based OTP which not required any 3rd party services like Email or SMS.
Where can I get TOTP?
You can get a TOTP on the Authenticator mobile app or website. E.g. Google Authenticator is a mobile app that shows you the TOTP after configuring the TOTP.
Is TOTP mandatory?
The TOTP is a way to secure your website by asking the TOTP while login in. It completely depends on the site you are using.
Most of the sites make the TOTP mandatory like GitHub.
How do I enable TOTP on Google Authenticator?
Follow the above steps from this article to enable the TOTP on Google Authenticator mobile application.
How long is the TOTP code valid?
The TOTP is valid for 30 to 90 seconds.