Home Blog WordPress Management How Authenticator apps work

2FA apps

How Authenticator apps work

Authenticator apps are a crucial part of the 2-Factor Authentication ecosystem. While they are generally very straightforward to operate and use, what goes on under the surface can help you choose the right kind of authenticator app for you and help you successfully implement 2FA on your WordPress website.

The basics of Authenticator apps

Authenticator apps have one job – to issue an OTP (One Time Password). A one-time password, as the name suggests, is a password that you can only use once. Once you have used that password, you cannot use it again to log in. While this is theoretically true, there can be scenarios where you use the same password more than once. We will see how this might happen later on in this article.

How to get started with an Authenticator app?

Before an authenticator app can begin to generate OTPs, you must first download a secret key. This secret key is provided by the website that we will be logging into. For example, suppose we want to use the authenticator app to log in to a WordPress website. In that case, we need to download the key from the WordPress website, which the two-factor authentication plugin WP 2FA provides.

WP 2FA wizard

Keys can be downloaded in several ways. The easiest way to do so is by scanning a QR code using your phone’s camera. You can also opt to enter it manually. This effectively syncs the website with the app. Once the secret key has been downloaded, the app will automatically start generating the keys that we will use to authenticate ourselves.

Can you use the Authenticator app for multiple 2FA accounts?

Secret keys are an essential part of the equation, as they allow the authenticator app to generate the passwords we need. Multiple keys can be downloaded to one authenticator app, allowing you to use the same authenticator app to log in to different websites. To this end, you can think of the authenticator app as a keyring, with each secret key downloaded to the app being another key in the ring that opens a different door.

How OTPs are generated

There are two versions of the One Time Password, called TOTP and HOTP. These two versions work very differently, even though the result is pretty much the same – a 6-digit number.

What’s the difference between TOTP and HOTP?

TOTP and HOTP are the two different ways in which an algorithm can generate an OTP. WP 2FA is compatible with both and uses Authenticator apps for TOTP and email for HOTP.


The H in HOTP stands for HMAC, which itself stands for Hash-based Message Authentication Code. Yes, it’s an acronym in an acronym.

HOTP hashes the secret key and a counter value using SHA1 to get a 160-bit result. The result is then truncated to 31 bits, with the latest result modulated to 106 to give us a 6-digit integer. This 6-digit integer is our OTP. Once the OTP is used, the counter value increments and a new password is issued, ready for our next login.

This process is carried out simultaneously on the server and the device on which the authentication app is installed, allowing the server to verify that the authenticating user is who they say they are by ensuring that the numbers match.


The T in TOTP stands for time, and it works similarly to HOTP. Instead of using a counter, however, TOTP uses Unix Time at 30-second intervals, with the rest of the process working similarly to HOTP. As such, TOTP issues a new password every 30 seconds, regardless of whether we use it or not.

Generally speaking, TOTP is considered to be the more secure of the two. This is because HOTP must allow for a broader range of acceptable passwords due to possible loss of counter-value synchronization between the server and the app.

How are OTPs only used once?

For HOTP to work, all devices need to have the same counter value. As such, as we previously discussed, to account for minor discrepancies, the HOTP authentication service looks at the immediate past and future values if there is no match with the current value to account for any discrepancies in the counter value that can occur over time. As such, HOTP accepts a range of values rather than just the one, which makes it less secure overall.

For TOTP to work, on the other hand, the server and the app must have their clocks synchronized. This makes sure that the password match. The one-time usage of the OTP is due to the fact that OTPs expire after 30 secs, after which a brand new password is generated.

In reality, the same password may appear more than once since TOTP will technically cycle through all possible numbers in a little bit less than a year (There are 999,999 possible passwords, with each one lasting 30 secs).

WP 2FA and Authenticator apps

WP 2FA is compatible with all Authenticator apps that use the TOTP algorithm to issue one-time passwords.

Getting started and configuring 2FA on your WordPress website user with the WP 2FA plugin just takes a few seconds. If you need assistance getting started with your Authenticator up, refer to the instructions on how to set up popular Authenticator apps.

Posted inWordPress Management
Joel Farrugia
Joel Barbara

Joel is our technical writer responsible for writing the different kinds of content we need. With a background in tech and content, he has a passion for making technology accessible and understandable for everyone. You can reach Joel at joel@melapress.com.

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon