Definition
TOTP stands for Time-based One-Time Password. It's the algorithm (standardized in RFC 6238) behind the 6-digit codes that rotate every 30 seconds inside apps like Google Authenticator, Authy, 1Password, Bitwarden, and Microsoft Authenticator. The server and the authenticator app share a secret (typically encoded as base32); both sides compute HMAC-SHA1(secret, floor(currentUnixTime / 30)), truncate the result to 6 digits, and compare.
Because the code depends on the current 30-second window, a TOTP code intercepted by a phisher has a ~30-second shelf-life - dramatically less useful than a stolen static password. Clock skew is handled by accepting codes from one or two windows on either side of the current time (the ±1 step tolerance most servers use gives about 90 seconds of grace).
The shared secret never leaves the server except once (at enrollment, when it's shown as a QR code for the user to scan). Both ends derive codes independently from that point on.
How SheetLinkWP relates to TOTP
SheetLinkWP offers TOTP as an opt-in second factor on the portal. After enrolling in the Security tab, every sign-in requires a 6-digit code from your authenticator app after the magic-link click. The secret is stored AES-256-GCM encrypted at rest using a dedicated master key separate from the database-level encryption.
Enrollment is two-step: we generate and display the secret plus QR code, but the secret isn't persisted until the user enters a valid 6-digit code - this prevents "enrolled with a typo'd secret" lockouts. Users also receive 10 single-use backup codes, shown once at enrollment, for recovery if their authenticator is lost.
Disabling 2FA requires both the current TOTP code and a fresh email re-auth code, so a hijacked session cookie alone can't flip protection off.