What Are TOTP and 2FA?
2FA means two-factor authentication, and TOTP is one of the most common ways to generate verification codes. The 6-digit code in an authenticator app is usually calculated from a Secret and the current time.
One-line Explanation
TOTP combines a Secret with the current time to generate a short-lived verification code.
When You See It
- When signing in to GitHub, Google, Cloudflare, server panels, or admin systems that ask for a 6-digit authenticator code.
- When moving phones, backing up a 2FA Secret, or testing a login flow that needs to confirm code generation.
- When you see an otpauth://totp/... link or QR code containing account, issuer, Secret, algorithm, and period information.
How It Works
The website gives you a Secret. Your authenticator app stores that Secret and does not need to request each code from the website.
To generate a code, the app combines the Secret, current time window, algorithm, digit count, and refresh period.
The server stores the same Secret and calculates the expected code. If both sides match, you have proven access to that Secret.
Examples
Common otpauth URL
Authenticator QR codes often contain content like this.
otpauth://totp/Nexkits:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=NexkitsCommon Misunderstandings
- Do not share a TOTP Secret or include it in public screenshots, chat messages, or support tickets.
- A wrong code does not always mean the Secret is wrong. Device time, period, digit count, or algorithm can also be mismatched.
- 2FA is not a complete security solution by itself. Passwords, recovery codes, email security, and device security still matter.