Skip to main content

How Mobile Service validates time-based one-time passcodes (TOTP)

This KB explains how SecureAuth Mobile Service validates time-based one-time passcodes (TOTPs) and how the cache prevents users from reusing the same passcode during its validity window. This information supports audit, compliance, and security reviews for cloud and hybrid deployments.

How TOTP validation works

When you enter a passcode from an enrolled authenticator app, Mobile Service performs the following steps:

  1. It calculates the expected value from the user’s OATH seed.

  2. It compares the submitted passcode with the expected value.

  3. If the passcode is valid, the service stores it in a temporary cache that is tied to that specific OATH seed.

  4. If the same passcode is submitted again while the cache is active, the service rejects it.

This helps protect against replay attempts within the passcode’s valid time window.

Cache behavior example

If you use: 

  • TOTP interval: 30 seconds

  • Time offset: 5 minutes

Then the cache persists for 5 minutes and 30 seconds.

During this time, reuse of the same passcode is not allowed. Once the cache expires, a passcode with the same numeric value may be accepted again only if the TOTP algorithm naturally generates that number in a future interval.

Each enrolled authenticator app has its own OATH seed. The reuse-prevention logic applies separately to each seed.

Cache key format

Mobile Service creates a cache entry using a seed-specific key: identifier-usedtotp

This key ensures the cached passcode is associated with the correct enrolled device.

Logging behavior

If a rejected attempt is caused by a reused TOTP, Mobile Service logs the event.

To the user, the rejection appears as a standard invalid passcode response. In the logs, the event is identified as a duplicate submission. 

This helps Support and administrators confirm the reason for the failure during troubleshooting or audits.

UI setting availability

SecureAuth displays the Prevent re-use of TOTP option in the Authentication Apps settings starting in release 24.04 with update 24.4.1. 

See step 5 in Authentication apps global MFA settings.

Mobile Service enforces this behavior in all SecureAuth IdP / Identity Platform releases, by default, including releases that do not expose this setting in the New Experience UI. 

In this section: