signedapproval
Help Center

TOTP Authenticator

Set up a TOTP authenticator app as an approval authentication method.

Key Concepts

TOTP (Time-based One-Time Password) is a widely supported authentication standard defined in RFC 6238. Your authenticator app generates a new 6-digit code every 30 seconds based on a shared secret. When you enter the code to approve a request, SignedApproval verifies it matches the expected value for the current time window.

TOTP is less secure than passkeys (codes can be phished, and the shared secret must be stored server-side), but it works everywhere and requires no special hardware. It's a good backup method if your passkey device is unavailable.

Step-by-Step Guide
1

Open authentication settings

Log in to your dashboard and go to Settings. Under Authentication Methods, click Set Up TOTP.

2

Scan the QR code

A QR code will appear on screen. Open your authenticator app and scan it:

  • Google Authenticator — Tap the + button, then "Scan a QR code".
  • Authy — Tap "Add Account", then scan.
  • 1Password — Edit the entry and add a one-time password field.
  • Any TOTP app — Look for "Add account" or "Scan QR code".

If you can't scan the QR code, click Show manual entry to reveal the base32 secret key that you can type into your app.

3

Enter the verification code

After scanning, your authenticator app will display a 6-digit code. Enter it in the verification field and click Verify. This confirms that your app is generating correct codes.

4

Save your backup codes

After verification, you'll see a set of backup recovery codes. Save these in a secure location (password manager, printed and stored safely). These codes can be used if you lose access to your authenticator app.

Important
Backup codes are shown only once. If you lose both your authenticator app and your backup codes, you'll need to contact support to reset your TOTP enrollment.

Using TOTP to Approve

When approving a request with TOTP:

  1. Click Approve on the pending request.
  2. Select TOTP as your authentication method (if you have multiple methods registered).
  3. Open your authenticator app and read the current 6-digit code.
  4. Enter the code and confirm.

The code is valid for a 30-second window, with a small grace period for clock drift. If the code expires while you're typing, wait for the next one.

Security Considerations

TOTP secrets are encrypted with AES-256-GCM before being stored in the database. The encryption uses SignedApproval's ENCRYPTION_KEY, which is separate from any other service's encryption key.

While TOTP is widely supported and convenient, passkeys are recommended as your primary authentication method because they are phishing-resistant and don't require a shared secret.

Tip
You can have both a passkey and TOTP registered simultaneously. When approving, you choose which method to use. The method is recorded in the signed approval payload so verifiers know how you authenticated.
Related Articles
Passkey SetupFace ID / BiometricHow Approvals Work