BSG utilizes HTTP cookies (and similar or complementary technologies) to 1) make this website safe, functional, and accessible (through the use of mandatory cookies) and 2) understand how you use our website (through the use of optional cookies) in order to improve your experience and to provide you with personalized content.

The information in the cookie text files may be related to your personal preferences or your device and is intended to make the site operate according to your expectations. The information contained in cookies does not usually identify your identity directly but is helpful in providing you with a more personalized user experience.

In accordance with the requirements of the General Data Protection Regulation (GDPR) privacy and security law that governs how the personal data of individuals in the EU may be processed and transferred, we provide you the possibility to prohibit the use of certain types of cookies when you use our website.

Read our Cookie Notice and the Privacy Policy for detailed information on how BGS collects and uses cookies. Please note that prohibiting the use of certain types of cookies may affect your interaction with the website and limit the accessibility of services we offer you. Choose the appropriate category below to learn more and to disable cookies.

Accept All cookies*

*Recommended for comfortable use of the site

Accept only necessary cookies

Accept only selected cookies

Necessary cookies

Social media

Analytics

Marketing

TOTP (Time-Based One-Time Password)

What is TOTP?

TOTP (Time-Based One-Time Password) is a one-time verification code generated locally on a user's device using a shared secret and the current Unix timestamp, refreshing automatically every 30 seconds.

How does TOTP work?

TOTP generates verification codes on the user's device without sending anything over a network. An authenticator app — Google Authenticator, Authy, or Microsoft Authenticator — uses a shared secret key (established during setup via QR code) combined with the current time to produce a 6-digit code that changes every 30 seconds.

How does TOTP compare to SMS OTP?

This approach eliminates the delivery dependency that SMS OTP carries. There is no SMS route to fail, no carrier latency, and no per-message cost. The trade-off is user friction: the user must install and configure an authenticator app before they can use TOTP, which limits adoption in consumer-facing flows where speed of onboarding matters.

When should businesses use TOTP?

In practice, TOTP works best as an optional security upgrade rather than a mandatory first step. Fintech and SaaS platforms typically offer TOTP alongside SMS OTP — letting security-conscious users opt into stronger protection without blocking less technical users at the gate. The RFC 6238 standard governs TOTP implementation, and most server-side libraries support it natively.