How is a Time-Based One-Time Password (TOTP) generated?

A Time-Based One-Time Password (TOTP) is generated by combining a shared secret and the current time. This method leverages the fact that the time is a variable that changes constantly, and it ensures that the one-time password is valid only for a specific period, typically 30 seconds to a minute. When a user wants to authenticate, both the client and the server use the same shared secret and the current time to generate the same TOTP.

The TOTP algorithm normally operates using the HMAC-SHA1 (or similar hashing) function, which takes the shared secret and the time as inputs. The use of current time means that even if someone captures the password, it will become useless as time advances. This enhances security significantly by making each password ephemeral and unique for a short duration.

Therefore, TOTP effectively mitigates the risk of replay attacks since a password can only be used once and only within a brief time window. This mechanism guarantees that even if an attacker intercepts one password, they cannot use it later to gain unauthorized access to an account.