How Authenticator Apps Work: The Science Behind 6-Digit Codes

When you log into an online account and it asks for a 6-digit code from an authenticator app—like Google Authenticator, Microsoft Authenticator, or Authy—you’re using something called Time-based One-Time Passwords (TOTP). This method adds a second layer of security known as two-factor authentication (2FA).

Even though it looks simple, a lot of cryptographic engineering happens behind the scenes. Let’s break it down in a way that’s easy to follow.

1. The Secret Shared Key (Seed)

Before an authenticator app can generate codes for an account, the service (Google, Instagram, GitHub, etc.) and your authenticator app must share a secret.

This usually happens when you see a QR code during setup.

The QR code contains:
- A secret key (a long random string in Base32 format)
- The account name
- The type of OTP (usually TOTP)
- The time interval (usually 30 seconds)

Your authenticator app scans the QR code and stores the secret locally on your device.

This shared secret is the foundation of all future code generation.

2. Time-Based Code Generation (TOTP)

Once your device has the secret key, it generates new 6-digit codes every 30 seconds using the TOTP algorithm—an industry standard defined in RFC 6238.

The core idea

The app generates a code by combining:

The shared secret key

The current time (rounded to 30-second intervals)

Because both your device and the server know the same secret and the same time, they can independently generate matching codes.

3. The Algorithm Behind the Code

Here is the step-by-step process of how a 6-digit code is produced:

Step 1: Calculate the time counter

The current Unix time (seconds since Jan 1, 1970) is divided by 30.

Html

Example: If the time is 1697040000, then:

Html

This counter changes every 30 seconds.

Step 2: Combine the Secret Key and Time Counter Using HMAC-SHA1

HMAC = Hash-based Message Authentication Code SHA-1 = a hashing algorithm

The app computes:

Html

This produces a long hash value.

Step 3: Dynamic Truncation

From the hash result, the algorithm extracts a 4-byte (31-bit) number.

This is done to ensure randomness and uniform distribution.

Step 4: Turn the Number Into 6 Digits

Take the 31-bit integer and compute:

Html

This gives a number between 000000 and 999999.

The app displays it, and it remains valid for 30 seconds.

4. How Services Verify Your Code

When you enter your 6-digit code:

The server repeats the same process:
- Uses its copy of the shared secret
- Computes time_counter
- Runs HMAC-SHA1
- Generates its own 6-digit code
If the server’s code matches yours, authentication succeeds.

Because clocks may drift, servers often check:

The current 30-second window
±1 window (optional)

This ensures small timing differences don’t cause failures.

5. Why This Is Secure

✔ The secret key never leaves your device

Only the hashed output is used to generate codes.

✔ Codes expire automatically

A 6-digit code is only valid for ~30 seconds.

✔ Even if someone sees your code

They can’t generate the next one without the secret key.

✔ Resistant to brute-force

1,000,000 possibilities + rapid expiration = very hard to guess.

6. Common Authenticator Apps

Popular choices include:

Google Authenticator
Microsoft Authenticator
Authy
1Password / LastPass built-in authenticators

All of them use the same TOTP standard.

Summary

Authenticator apps work by using a shared secret key and the current time to generate a temporary 6-digit code using the TOTP algorithm. The steps are simple but mathematically strong:

Share a secret key during setup
Compute a time counter (every 30s)
Apply HMAC-SHA1 to secret + time
Truncate and format to 6 digits
Server and app generate the same code independently
If codes match → login successful

It’s one of the most effective, secure, and widely used forms of two-factor authentication today.

Authenticator6 digits2FA

Create your AI Agent

Automate customer interactions in just minutes with your own AI Agent.

Get started for free Chat with AI for fun

Featured posts

Exploring the Magic Behind AI Picture Generation

Can you imagine telling your computer, "I want a picture of a cat wearing a superhero cape flying over New York City," and getting that image in seconds? This is possible thanks to AI. Let’s break down the key technologies behind AI picture generation, which make creative visuals more accessible.

How Does a URL Shortener Work?

URL shorteners are tools that create a condensed version of long web addresses, making them easier to share and manage. These services are often used in social media posts, emails, or printed materials where space is limited. This article explains the process behind how URL shorteners function, covering their mechanisms and technology involved.

AI Chatbot: The Ultimate Support to Customer Support Teams

In the digital age, customer service has evolved beyond traditional call centers and face-to-face interactions. Today, Artificial Intelligence (AI) chatbots are revolutionizing the way businesses handle customer inquiries, providing instant support and freeing up human agents to focus on more complex tasks. One such AI chatbot making waves in the industry is Handle Chatbot.

Employees Facing Termination Due to AI Interactions

AI technology undoubtedly brings forth a multitude of advantages. However, a concerning trend has emerged where employees find themselves grappling with unexpected consequences, including job terminations, stemming from their interactions with AI. This blog goes into real-life cases where employees have been let go after engaging with AI.

Should I use JPG, PNG, or WebP for my website?

When it comes to website design and optimization, choosing the right image format plays a significant role in enhancing the user experience and optimizing the loading time. The debate between JPG, PNG, and WebP formats has been ongoing, with each format having its own advantages and disadvantages. In this blog, we will delve into the characteristics and use cases of these formats to help you make an informed decision for your website.

AI: Friend or Foe for Workers?

The rise of AI is changing how we work. Some believe it will improve our jobs, while others worry it will eliminate them. The truth is likely more complex than a simple "yes" or "no." It's beneficial to look at both the potential positives and negatives of AI on the working world.

Is the Salary Too Low in the European Union?

The issue of low salaries has always been a cause for concern in many countries, including those in the European Union (EU). With its diverse economies and varying labor market conditions, the EU faces challenges in ensuring fair wages for its workers. In this blog, we will explore the question: Is the salary too low in the European Union?

How a GPT Model Learns and Understands Grammar?

Teaching a machine to understand and generate human language isn’t just about stringing words together—it’s about capturing the nuances of grammar, context, and meaning. GPT (Generative Pre-trained Transformer) models are at the forefront of this challenge, transforming vast amounts of text into coherent, grammatically correct language. But how exactly do these models handle the complexities of grammar, especially in long and intricate sentences? Let’s explore the inner workings of how GPT models achieve this linguistic feat..

Achieve more with AI

Enhance your customer experience with an AI Agent today. Easy to set up, it seamlessly integrates into your everyday processes, delivering immediate results.

Try for free Get a demo

Latest posts

AskHandle Blog

Ideas, tips, guides, interviews, industry best practices, and news.

• April 6, 2025

How Can Small Businesses Use AI to Reduce Operational Costs?

Small businesses are always looking for ways to save money and streamline their operations. One of the most effective tools for achieving this goal is AI. This technology can make work easier and more efficient, allowing small businesses to focus on what really matters. Here are some practical ways small businesses can use AI to cut down on operational costs.

Small BusinessesOperational CostsCustomers

• October 3, 2023

What is Costco Return Policy?

Costco, a membership-based warehouse club, is well-known for its generous return policy, which is often considered one of the best in the retail industry. This policy plays a significant role in building trust and customer satisfaction.

CostcoReturn PolicyReturn to Costco

• September 24, 2023

Navigating Feelings of Inadequacy in Your Work

Experiencing the sensation that you're not working hard enough can be a wellspring of frustration and self-doubt. This sentiment is something that many individuals encounter at different phases in their lives, whether it's in personal endeavors, academic pursuits, or professional careers. In this blog, we go into the underlying reasons for this sensation and explore constructive ways to address it.

Working hardNo overworkingStay postive

View all posts