There can never be enough security. On the other hand, using faulty or weak protections may merely make you feel safe while you remain exposed to various threats.

Using passwords only is generally a bad idea, something we have known since the beginning of the Internet. We are making progress toward a password-free world, but in the meantime, many websites offer an additional user account protection with Two-Factor Authentication (2FA).

In general, there are two types of 2FA implementations: Time-based One-time Password (TOTP) and Universal Second Factor (U2F). You may be familiar with the former, as it is the most commonly used 2FA: at login, you have to enter a one-time code generated by your phone app, a dedicated hardware device, or sent to you via SMS. While simple, there are several shortcomings to this method.

But not all kinds of 2FA are created equal!

How Does TOTP Work?

Time-based One-time Password (TOTP), popularized mainly by Google Authenticator, verifies your identity based on a shared secret. This secret must be shared online between you and the provider.

When logging into a website, your device generates a unique code based on the shared secret and the current time. Then you have to submit this code manually. The server generates the exact same thing, based on the same secret, to compare and validate the login request.

Both sides generate the same hash, from the same input factors, sharing a secret at registration.

Why Is TOTP Inadequate?

While TOTP is very simple to use, it has weaknesses and inconveniences.