Why does a TOTP code refresh every 30 seconds?
Q: Why does a TOTP code refresh every 30 seconds?
A TOTP code is calculated from a secret key and the current time window. The common 30-second refresh interval helps reduce the risk of code reuse and long-term exposure.
TOTP stands for Time-based One-Time Password. It uses a 2FA secret key and the current time as inputs to calculate a temporary verification code.
Many platforms use a 30-second time window by default. This means that within the same 30-second window, the same secret key usually generates the same code. When the next time window begins, the code changes automatically.
This design prevents a verification code from staying valid for too long. Even if someone sees a code, it can only be used for a very short period of time. Compared with a static password, TOTP is better suited for login confirmation, sensitive actions, and account security protection.
However, a 30-second refresh interval does not mean the secret key itself is safe. If the 2FA secret key is leaked, someone can continuously generate new codes. The real sensitive data is the secret key, not only the 6-digit code generated at one moment.
If your codes are always invalid, check whether the system time is accurate. Since TOTP depends on time, a large time difference can cause your generated code to differ from the server’s expected code.
