正在加载,请稍候…

Beyond SMS: The Rise of OTP Generators and How to Use Them Safely

Why regulators are moving away from SMS OTPs, and how to use a TOTP generator for stronger authentication. Learn about phishing-resistant 2FA, TOTP best

OTP generator app on a smartphone screen

For years, the humble SMS one-time password (OTP) was the go‑to second factor for securing online accounts. But as phishing attacks grow more sophisticated, regulators worldwide—including Hong Kong’s Securities and Futures Commission (SFC)—are now mandating the phase‑out of SMS OTPs in favour of phishing‑resistant authentication methods. This shift has put time‑based one‑time password (TOTP) generators like Google Authenticator, Microsoft Authenticator, and open‑source alternatives like Aegis or OTPBox into the spotlight.

In this article, we’ll explain why SMS OTPs are no longer considered safe, how TOTP generators work, when to use them, and—most importantly—how to manage them securely. You’ll also find a fully worked example of setting up TOTP with a popular authenticator app, and a comparison of different 2FA methods. Try it in our OTP Generator to generate your own TOTP codes instantly.

Why SMS OTPs Are Being Retired

SMS OTPs were once a strong second factor, but attackers have found multiple ways to bypass them:

  • Phishing: A fake website mimics a legitimate login page; the user enters their password and the SMS OTP, which the attacker immediately uses.
  • SIM swapping: An attacker convinces a mobile carrier to transfer the victim’s phone number to a SIM card they control, intercepting all SMS messages.
  • Malware: Trojan apps on the victim’s phone read incoming SMS messages and forward them to the attacker.
  • Social engineering: Attackers call victims pretending to be from their bank, tricking them into revealing the OTP.

Because of these risks, regulators like the SFC now require financial institutions to adopt phishing‑resistant authentication—methods that cannot be easily phished or intercepted. TOTP generators, while not phishing‑resistant on their own (a user can still be tricked into typing a TOTP code into a fake site), are far more secure than SMS when combined with proper user education and device binding.

What Is a TOTP Generator?

A time‑based one‑time password (TOTP) generator is an app or hardware device that produces a short, numeric code that changes every 30 seconds (or another interval). The code is derived from a shared secret key and the current time, using the HMAC‑SHA1 algorithm (per RFC 6238).

Key characteristics:

  • No network required: The code is generated locally on the device, so it works offline.
  • Time‑synchronised: Both the server and the generator must have their clocks in sync (within a few minutes).
  • Ephemeral: Each code is valid only for a short window (typically 30 seconds).

How It Works (Simplified)

  1. During setup, the service provides a secret key (often encoded as a QR code or a Base32 string).
  2. The authenticator app stores this secret and combines it with the current Unix time (divided by 30) using HMAC‑SHA1.
  3. The resulting hash is truncated to a 6‑digit number.
  4. The user enters this number on the login page, and the server performs the same calculation to verify it.

When to Use a TOTP Generator

TOTP is ideal for:

  • Personal accounts: Email, social media, cloud storage, and developer platforms (GitHub, GitLab, AWS).
  • Corporate 2FA: Many organisations enforce TOTP for employee VPN, email, and internal tool access.
  • Self‑hosted services: If you run your own server (e.g., Nextcloud, GitLab), TOTP is a lightweight, offline‑capable 2FA option.

It is not recommended as the sole second factor for high‑value financial accounts if the service supports hardware security keys (FIDO2/WebAuthn) or passkeys, which are truly phishing‑resistant.

Common Pitfalls of TOTP

  • Secret key exposure: If the QR code or Base32 secret is intercepted during setup, an attacker can clone the token.
  • Clock drift: If the device’s clock is inaccurate, codes may not match. Most apps have a “time correction” feature.
  • No backup: Losing the device without a backup means losing access to all accounts protected by that authenticator.
  • Single point of failure: Relying on one phone means a lost or broken device can lock you out.
  • Phishing still possible: A user can be tricked into entering a TOTP code on a fake site. TOTP alone does not prevent phishing.

Worked Example: Setting Up TOTP with OTPBox

Let’s walk through a complete example using OTPBox, an open‑source Android authenticator. (The same steps apply to most TOTP apps.)

Step 1: Obtain the Secret

When you enable 2FA on a service (e.g., GitHub), you’ll see a QR code and a “setup key” (a Base32 string like JBSWY3DPEHPK3PXP). Copy the setup key or scan the QR code with OTPBox.

Step 2: Add the Account in OTPBox

Open OTPBox and tap the + button. Choose Scan QR code or Manual entry. If manual, paste the Base32 secret and optionally enter an issuer name (e.g., “GitHub”) and account name (e.g., “user@example.com”).

Step 3: Verify the Code

OTPBox will immediately display a 6‑digit code that refreshes every 30 seconds. Enter this code on the service’s verification page. Once confirmed, 2FA is active.

Step 4: Export and Backup (Critical!)

In OTPBox, go to Settings → Export. Choose Encrypted export and set a strong password. This creates a JSON file containing all your secrets, encrypted with AES‑256‑GCM. Store this file in a secure offline location (e.g., an encrypted USB drive or a password manager’s secure notes).

Warning: Never store the unencrypted export or the QR code screenshot in cloud storage, email, or messaging apps.

Comparison: SMS OTP vs. TOTP vs. Passkeys

Feature SMS OTP TOTP Generator Passkey / FIDO2
Phishing resistance Low Medium (user still types code) High (cryptographic challenge)
Offline capability Requires cellular network Works offline Works offline (device bound)
SIM swap risk High None None
Interception risk High (SMS forwarding, malware) Low (local generation) Very low
Backup complexity Automatic (SIM) Manual (export secrets) Usually tied to device ecosystem
User experience Simple, but prone to delays Quick once set up Seamless (biometric or PIN)

How to Manage TOTP Secrets Safely

  1. Enable app lock: Use the authenticator app’s built‑in PIN or biometric lock to prevent unauthorised access.
  2. Backup your secrets: Export an encrypted backup and store it offline. Some apps (like OTPBox) support encrypted cloud sync via GitHub Gist—use with caution.
  3. Use multiple devices: Register the same secret on two devices (e.g., phone and tablet) to avoid a single point of failure.
  4. Keep recovery codes: Most services provide recovery codes when you enable 2FA. Store them in a password manager or safe.
  5. Avoid screenshots: Never take a screenshot of the QR code or the secret key. If you must capture it, use a secure method like a password manager’s built‑in scanner.

FAQ

What happens if I lose my phone with the authenticator app?

If you have a backup (encrypted export or recovery codes), you can restore your accounts on a new device. Without a backup, you will need to disable 2FA on each service using their recovery process, which often requires identity verification and may take days.

Can I use the same TOTP secret on multiple devices?

Yes. Most authenticator apps allow you to scan the same QR code or enter the same secret on multiple devices. This is a good practice for redundancy.

Is TOTP vulnerable to phishing?

Yes, if a user is tricked into entering a TOTP code on a fake site, the attacker can immediately use it. TOTP is not phishing‑resistant on its own. For phishing resistance, use passkeys or hardware security keys.

How do I migrate from SMS OTP to TOTP?

Log into each service that supports 2FA, disable SMS OTP, and enable TOTP by scanning a new QR code with your authenticator app. Follow the service’s instructions to complete the migration.

Are all TOTP apps equally secure?

Most are secure if they store secrets in encrypted device storage (e.g., Android Keystore, iOS Keychain). Avoid apps that require internet permissions or send data to the cloud without encryption. Open‑source apps like Aegis, OTPBox, and andOTP are auditable and often preferred by security‑conscious users.

Conclusion

The move away from SMS OTPs is a necessary step in the fight against phishing and account takeover. TOTP generators offer a strong, offline‑capable second factor that is far more secure than SMS—provided you manage the secrets carefully. By understanding the risks and following best practices, you can significantly improve your account security today.

Ready to generate your own TOTP codes? Try our OTP Generator to see how it works.