How to validate the TOTP ? #47

d3bt3ch · 2026-04-09T19:31:39Z

d3bt3ch
Apr 9, 2026

How to validate the TOTP ?

Apr 10, 2026

From a mechanical perspective: generate the expected code, then check if the provided code matches the expected code. For example:

if (providedOneTimePasswordString.equals(totp.generateOneTimePasswordString(key, timestamp)) {
  // Success!
}

…but please note that there are lots of other factors to consider! How much clock drift will you allow? How many times is a user allowed to retry? What happens when a user exceeds that limit? These (and other) considerations are discussed in greater detail in:

"Security requirements" from RFC 4226 (the HOTP spec)
"Security considerations" from RFC 6238 (the TOTP spec)

View full answer

jchambers · 2026-04-10T00:08:13Z

jchambers
Apr 10, 2026
Maintainer

From a mechanical perspective: generate the expected code, then check if the provided code matches the expected code. For example:

if (providedOneTimePasswordString.equals(totp.generateOneTimePasswordString(key, timestamp)) {
  // Success!
}

…but please note that there are lots of other factors to consider! How much clock drift will you allow? How many times is a user allowed to retry? What happens when a user exceeds that limit? These (and other) considerations are discussed in greater detail in:

"Security requirements" from RFC 4226 (the HOTP spec)
"Security considerations" from RFC 6238 (the TOTP spec)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to validate the TOTP ? #47

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to validate the TOTP ? #47

Uh oh!

d3bt3ch Apr 9, 2026

Replies: 1 comment

Uh oh!

jchambers Apr 10, 2026 Maintainer

d3bt3ch
Apr 9, 2026

jchambers
Apr 10, 2026
Maintainer