Why OTPs Look the Same but Work Very Differently

A deep dive into the two very common models hiding behind that familiar OTP screen: TOTP vs. server-stored OTP, and why this difference matters.

If you use enough apps, you start seeing the same screen again and again.

Enter a 6 digit code.

Maybe it says the code expires in 30 seconds. Maybe it says resend OTP. Maybe it comes from an authenticator app, maybe it comes as an SMS.

From the user side, this all feels like one thing.

From the backend side, it is not one thing at all.

There are two very common models hiding behind that familiar OTP screen:

TOTP
server-stored OTP

This project is a small Go prototype for both, but the idea matters more than the code. If you understand the difference between these two models, a lot of auth flows start making more sense.

The big idea

Part 1: TOTP

How TOTP generates a code

The big idea

Part 1: TOTP

How TOTP generates a code

Why TOTP servers often accept nearby windows

What is nice about TOTP

What can go wrong with TOTP

Part 2: Server-stored OTP

Where the code is stored

Why this flow is so common

What can go wrong with server-stored OTP

Same UI, different backend

A simple mental model

Why the prototype in this repo is useful

When to use which one

Final thought

Why OTPs Look the Same but Work Very Differently

The big idea

Part 1: TOTP

How TOTP generates a code

Why TOTP servers often accept nearby windows

What is nice about TOTP

What can go wrong with TOTP

Part 2: Server-stored OTP

Where the code is stored

Why this flow is so common

What can go wrong with server-stored OTP

Same UI, different backend

A simple mental model

Why the prototype in this repo is useful

When to use which one

Final thought

I Fall Asleep in Seconds Now. Not Minutes — Seconds.

How Bank Transfers Work