OTP and 2FA: TOTP Basics and Integration

TOTP windows, otpauth URIs, backup codes, and rate limits—a security checklist for building 2FA.

· All guides

How 2FA Works

Two-factor authentication (2FA) combines something you know (password) with something you have (phone app, hardware key) or something you are (biometrics). The goal is simple: a stolen password alone should not grant account access. Banks, cloud consoles, and SaaS admin panels increasingly require 2FA because credential stuffing attacks automate billions of login attempts with leaked password lists.

Time-based One-Time Password (TOTP) is the most common developer-facing 2FA method. Apps like Google Authenticator, Authy, and 1Password generate six-digit codes that rotate every 30 seconds from a shared secret. During integration, otp-generator creates TOTP secrets and otpauth:// URIs you can encode into QR codes for testing—without sending production secrets to external services.

Production secrets must be generated server-side with a cryptographically secure random source, encrypted at rest, and never logged. otp-generator is for staging and local QA, not for issuing real user enrollment material in bulk. Step-by-step enrollment flow: user enables 2FA → server generates secret → server shows QR once → user scans → user enters first code → server validates and stores encrypted secret → server displays backup codes once.

Common mistakes include accepting TOTP codes without rate limiting (brute force across six digits is feasible at scale), allowing unlimited backup code attempts, and storing secrets in plaintext database columns.

TOTP Essentials

TOTP builds on HMAC-SHA1 (RFC 6238) or SHA256 variants: code = HOTP(secret, floor(unix_time / 30)). Client and server must agree on the time window—usually 30 seconds—and allowed clock skew. Production systems typically accept the current window plus/minus one step to tolerate phones that drift thirty seconds slow.

Show backup codes exactly once at enrollment: single-use recovery tokens printed or downloaded as a file. Store only hashed backup codes server-side, like passwords. When a user consumes a backup code, invalidate it immediately and prompt regeneration.

Developer debugging workflow in staging: open otp-generator, paste the same secret your test server uses, confirm generated codes match what the API accepts, then test QR rendering in your mobile UI. Never log the secret, seed, or live six-digit codes in application logs—SIEM pipelines index them forever.

With Password Policy

2FA does not excuse weak passwords. It limits damage after a leak by requiring the second factor, but users still need strong unique passwords per site. password-generator creates high-entropy passwords; password-strength scores complexity and flags dictionary patterns during policy education demos.

Prefer TOTP or WebAuthn hardware keys over SMS OTP. SIM swap attacks let adversaries receive text messages intended for your phone number. SMS also fails in airplane mode, roaming edge cases, and regions with unreliable carriers. WebAuthn/FIDO2 keys resist phishing better than TOTP because credentials bind to origin.

Team policy example: minimum fourteen-character passwords plus mandatory WebAuthn for admins; standard users may choose TOTP. Rotate password-generator demos in onboarding slides but never collect real employee passwords through Towalles or any third-party form.

Dev Debugging

Integrating 2FA touches QR rendering, clock sync, backup codes, and recovery flows—each breaks independently. Use otp-generator in staging to validate end-to-end without waiting for a physical phone on every CI run; automate API tests with the same secret injected from your secrets manager test fixture.

Rate-limit verification endpoints: per IP, per username, exponential backoff after failures. Lock accounts temporarily after ten bad codes. Monitor for spikes indicating credential stuffing paired with TOTP guessing.

Security checklist before production: secrets encrypted with KMS, backup codes hashed, recovery path requires alternate verified channel, admins cannot disable 2FA without audit log, and support staff cannot read TOTP secrets. Towalles runs otp-generator locally—treat pasted staging secrets like production credentials if they ever overlap environments.

Related tools