TOTP stands for Time-based One-Time Password, defined in RFC 6238. The 6-digit code that rotates every 30 seconds in your authenticator app. Generated by hashing a shared secret (the seed registered at 2FA setup) with the current time, truncated to a 6-digit number. The middle tier of 2FA: stronger than SMS (no SIM-swap exposure), weaker than hardware keys (vulnerable to real-time phishing).
What it means in practice
The cryptographic model is mature and the implementation is consistent across authenticator apps. The seed is shared between the service and the user’s authenticator at enrollment (the QR code you scan); time synchronization between the service and the device produces matching codes within a small tolerance window (typically 30 seconds before and after current time to handle clock drift). The structural weakness: the seed exists, and any compromise of the seed compromises all future codes from it. The phishing weakness: in a real-time phishing attack, the user enters the code on the fake page, the kit forwards it to the real service within the 30-second validity window, the kit captures the resulting session cookie. Hardware keys defeat this attack because the cryptographic binding is to the actual domain origin, not a code that can be relayed.
Where it shows up
Supported by most major services as the recommended 2FA option below hardware keys. Used by: Google, Microsoft, Apple, GitHub, GitLab, AWS, Cloudflare, Bitwarden, 1Password, Proton, the entire SaaS ecosystem, banking and brokerages where SMS is being deprecated, and increasingly social-media platforms that have shifted from SMS-default to TOTP-recommended. The displacement curve: SMS 2FA is being phased out under regulatory pressure (NIST deprecation 2017, ongoing removal from financial services), TOTP is the current dominant tier, hardware keys are the highest tier where supported, and passkeys are the emerging default that subsumes the password-plus-TOTP combination into a single cryptographic credential.
What you can change today
Move every account currently on SMS 2FA to TOTP via Aegis (Android) or Raivo (iOS). For each account: log in, find Security or 2FA settings, switch authenticator from SMS to authenticator app, scan the new QR code into Aegis or Raivo, verify the code, save the recovery codes the service generates. Where the account also supports hardware keys, prefer hardware keys over TOTP for the keystone accounts (primary email, password manager, financial, code repositories). Where the account also supports passkeys, prefer passkeys over the password-plus-TOTP combination. The migration order: SMS to TOTP first (every account that still uses SMS), TOTP to hardware key for the keystone accounts, password-plus-TOTP to passkey where the service supports it.
