Also known as: Time-based One-Time Password, authenticator code, authenticator app
Definition
TOTP (Time-based One-Time Password) is a six-digit code generated every 30 seconds from a shared secret. The user scans a QR code at enrollment, their authenticator app derives the secret, and Supabase verifies the code by computing the same derivation. TOTP is the recommended MFA factor over SMS.
TOTP is defined in RFC 6238. The authenticator app and the server share a secret (planted during enrollment via QR code or manual paste). Both sides apply HMAC-SHA1 over the current 30-second time window plus the secret to derive a six-digit code. Codes from the previous and next window are also accepted to handle clock drift.
SMS-based MFA is interceptable at the carrier level via SIM-swap attacks, SS7 protocol exploits, and social-engineering of mobile providers. TOTP secrets never leave the authenticator app after enrollment, so there is no in-flight credential to intercept. NIST removed SMS from its recommended MFA factors in 2017 for exactly this reason.
Call supabase.auth.mfa.enroll({ factorType: 'totp' }), which returns a QR-code SVG and a secret. The user scans the QR with their authenticator app. The app generates a six-digit code, the user types it back, and your code calls mfa.challenge followed by mfa.verify to activate the factor. On successful verify, the current session is promoted to AAL2 and all other sessions are signed out.