TOTP — Time-Based One-Time Passwords (RFC 6238 / pyotp)

TOTP (RFC 6238) generates time-synchronized 6–8 digit one-time codes using HMAC-SHA1 over a shared secret and a 30-second time counter, enabling a second authentication factor that requires no network call — commonly implemented via pyotp in Python or otplib in JavaScript.

Evaluated Mar 07, 2026 (0d ago) vRFC 6238 (2011); pyotp 2.9.x
Homepage ↗ Security totp mfa 2fa otp auth security rfc6238 pyotp
⚙ Agent Friendliness
64
/ 100
Can an agent use this?
🔒 Security
81
/ 100
Is it safe for agents?
⚡ Reliability
69
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
88
Error Messages
80
Auth Simplicity
82
Rate Limits
95

🔒 Security

TLS Enforcement
90
Auth Strength
78
Scope Granularity
70
Dep. Hygiene
90
Secret Handling
80

TOTP secrets must be encrypted at rest and transmitted only over TLS. The 6-digit code space (1M values) is vulnerable to brute force without rate limiting. TOTP does not provide phishing resistance — codes can be replayed in real time.

⚡ Reliability

Uptime/SLA
0
Version Stability
95
Breaking Changes
95
Error Recovery
85
AF Security Reliability

Best When

You need a widely compatible, low-complexity second factor that works offline and is supported by all major authenticator apps without requiring hardware tokens.

Avoid When

Your threat model includes real-time phishing or you need phishing-resistant authentication — in that case, use WebAuthn instead.

Use Cases

  • Generate a TOTP provisioning URI and QR code at account setup so users can scan it into Google Authenticator, Authy, or a hardware token
  • Verify a TOTP code submitted during login by checking the current and adjacent time windows (±1 step) to tolerate moderate clock skew
  • Implement backup/recovery codes at enrollment time as single-use alternatives when the user's authenticator is unavailable
  • Add TOTP as a second factor to a CLI tool or agent dashboard where hardware passkeys are not available
  • Validate TOTP in a rate-limited, attempt-counting loop (lock after N failures) to prevent brute-force attacks on the 6-digit space

Not For

  • Phishing-resistant authentication — TOTP codes can be intercepted in real-time phishing attacks; use WebAuthn/FIDO2 for phishing resistance
  • Passwordless authentication as the sole factor — TOTP is a second factor; it requires a first factor (password, passkey) to be meaningful
  • High-security environments where SIM-swap or voice-phishing attacks are a concern — TOTP shared secrets can be extracted from unprotected devices or databases

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

TOTP is a pure library/algorithm — no external service or authentication required. The shared secret is generated and stored by the application.

Pricing

Model: free
Free tier: Yes
Requires CC: No

RFC 6238 is a free IETF standard. pyotp (MIT), otplib (MIT), and speakeasy (MIT) are all open-source. No external service required.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Clock skew: the TOTP algorithm is sensitive to host clock accuracy; containers and VMs can drift — always enable a ±1 window (valid_window=1 in pyotp) and monitor host NTP sync status
  • Shared secret storage: the base32-encoded TOTP secret is equivalent to a password; it must be encrypted at rest (never stored in plaintext in a database column or environment variable log)
  • Backup code exhaustion: agents provisioning TOTP must generate and store backup codes at enrollment and handle the case where all backup codes are consumed — there is no RFC-defined recovery path
  • QR code provisioning URI (otpauth://) must use the exact issuer and account name that will be displayed in the authenticator app; changing these fields after enrollment breaks re-scanning without re-enrollment
  • Replay attack prevention: TOTP codes are valid for 30 seconds; an agent that does not track and reject previously used codes within a window allows the same code to be submitted twice — maintain a short-lived used-code cache keyed by (secret_hash, counter)

Alternatives

webauthn-api ory-kratos-api logto-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for TOTP — Time-Based One-Time Passwords (RFC 6238 / pyotp).

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered