Time-Based One-Time Password (TOTP)

What is a Time-Based One-Time Password (TOTP)?

A TOTP (Time-Based One-Time Password) is a temporary, single-use code generated by an authenticator app that changes every 30 seconds.

TOTP is a specific type of One-Time Password (OTP) and is the mechanism behind authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. Because each code is only valid for a short window of time and can only be used once, it is highly resistant to theft and replay attacks.

How does TOTP work?

When you set up TOTP for an account, the service shares a secret key with your authenticator app, usually by scanning a QR code. Your app and the server then use the same algorithm (defined in RFC 6238) to independently generate a 6-digit code from that key combined with the current time. Because both sides use the same key and the same clock, their codes always match - with no need to transmit the code over a network.

What is the difference between TOTP and standard OTP?

A standard OTP is typically generated on a server and delivered to you via email or SMS. A TOTP is generated entirely on your device by your authenticator app - nothing is sent over a network. This makes TOTP more secure than SMS-based OTP, as it cannot be intercepted in transit.

TOTP and MIDAS

All MIDAS booking systems support Two-Factor Authentication (2FA) via authenticator apps. When this option is enabled, users must open their authenticator app and enter the current TOTP code each time they log in, providing a strong second factor that protects their account even if their password is compromised.