related video:
How OTP & TOTP Actually Protect Your Accounts
Passwords were never meant to carry the entire weight of your security.
Yet today, for most people, they’re still the only thing standing between an attacker and full account access.
That’s a problem.
In this post, we’ll break down:
- Why passwords fail
- What 2FA actually adds
- How TOTP works under the hood
- Why SMS codes are weak
- What you should use instead
The Problem With Passwords
If someone gets your password… they are you.
There’s no second check. No fallback. No friction.
And getting a password is easier than most people think:
- 🎣 Phishing → Fake login pages steal credentials instantly
- 💥 Data breaches → Password dumps get leaked online
- 🕵️ Keyloggers → Malware records everything you type
- 🔁 Reuse → One leak compromises dozens of accounts
👉 A password is a single point of failure.
The Solution: Two-Factor Authentication (2FA)
2FA changes the game by requiring two independent factors:
- Something you know → your password
- Something you have → your phone (OTP code)
Even if an attacker steals your password, they still can’t log in.
Why?
Because they’re missing the second factor.
What Is an OTP?
An OTP (One-Time Password) is a short-lived code (usually 6 digits) that changes every ~30 seconds.
Example:
482091
It’s only valid for a very short window—and then it’s useless.
How TOTP Works (Simple Explanation)
TOTP = Time-based One-Time Password
It’s not random. It’s deterministic math.
Here’s what happens:
1. Setup (only once)
- The server generates a secret key
- You scan it with your authenticator app (QR code)
- Now both your phone and the server share the same secret
That’s it. No more data exchange.
2. Every 30 seconds
Both sides independently compute the same code:
- Take the current time
- Combine it with the secret key
- Run it through a cryptographic function (HMAC-SHA1)
- Output a 6-digit code
Your phone does it.
The server does it.
👉 If the numbers match → access granted.
Important:
No code is ever sent over the network.
TOTP vs SMS Codes
Not all 2FA is equal.
📱 SMS Codes
- Sent over the phone network
- Vulnerable to SIM swap attacks
- Can be intercepted
- Doesn’t use strong cryptography
🔐 TOTP Apps
- Codes generated locally on your device
- Work offline
- Not transmitted anywhere
- Based on cryptography (HMAC)
👉 SMS = convenience
👉 TOTP = actual security
In fact, SMS-based 2FA is now considered weak by modern standards.
Can TOTP Be Hacked?
Yes—but it’s much harder.
Here are the main attack vectors:
🎭 Real-time phishing
A fake site captures your password and your OTP instantly.
Mitigation:
Use hardware keys (FIDO2 / YubiKey)
📱 Phone theft
If someone has your phone and unlocks it…
Mitigation:
Use app-level PIN or biometrics
☁️ Backup leaks
If your OTP secrets are backed up unencrypted…
Mitigation:
Use encrypted apps (Aegis, Proton)
📞 Social engineering
“Tell me your code” scams
Mitigation:
Never share OTPs—legitimate services never ask
Which Authenticator App Should You Use?
🟣 Proton Authenticator
- End-to-end encrypted backups
- Open source
- Great if you use Proton ecosystem
🛡️ Aegis (Android)
- Encrypted local vault (AES-256)
- Fully open source
- No cloud dependency
🔴 Google Authenticator
- Easy, widely supported
- ⚠️ Backup not fully encrypted
- ⚠️ Less control over secrets
👉 For sensitive accounts, avoid weak backup models.
The Bigger Picture
TOTP is a huge upgrade over passwords.
But it’s not the endgame.
The future is:
- Passkeys
- FIDO2 hardware keys
- Phishing-resistant authentication
Still…
👉 TOTP is one of the highest ROI security upgrades you can make today.
TL;DR
- Passwords alone are not secure
- 2FA adds a second layer (something you have)
- TOTP generates codes locally using shared secrets + time
- SMS 2FA is weak — avoid it
- Use apps like Aegis or Proton Authenticator
- For critical accounts, consider hardware keys
Final Thought
Security isn’t about being unhackable.
It’s about making yourself hard enough to not be worth the effort.
TOTP does exactly that.
Related code https://github.com/ivmos/ivmosdev/tree/main/study/otp
ivanmosquera.net 