Have you ever used Google Authenticator or Authy to get a login code? You might notice that the app works even if your phone is offline. No Wi-Fi, No mobile data. Yet, it still gives you a 6-digit code that works!

How is that possible? How does the server know what code your offline device is showing?

What is 2FA?

2FA stands for Two-Factor Authentication. It adds an extra layer of security when you log in somewhere. The main idea is that, besides your password, you also need a temporary code. This way, even if someone knows your password, they cannot log in without the code. In this article, we will use Google Authenticator as an example to demonstrate the concept.

How does Google Authenticator Create Codes Offline?

When you first set up Google Authenticator with a website, two things happen:

1. The app gets a secret key.
2. The server (website) also keeps a copy of the same secret key.
3. This secret key is usually shared through a QR code you scan.

After that, both your phone and the server have the same secret. The app uses this secret key and the current time to generate a verification code.

This process works without needing the internet because your phone already has everything it needs: the secret key and the clock.

How Does the Server Check Your Code?

When you log in and type your 6-digit code, here’s what happens:

1. The server knows your secret key (it saved it earlier).
2. It also knows the current time.
3. It uses the same method your app uses to calculate what your code should be.
4. Then, it compares your code with its own.
5. If they match, you are allowed to log in.

Simple, right? Both sides are doing the same math, using the same ingredients.

What is TOTP?

The method explained earlier is called TOTP (Time-Based One-Time Password). It is based on:

• A Secret Key (never changes)
• The Current Time (changes every second)

The TOTP formula looks like this:
TOTP = HMAC-SHA1(secret key + current time)

Don’t worry if that looks complicated. It just means:
"Mixing the secret key and the current time in a special way to create a new number."

By following this method, a new code is generated every 30 seconds.

What About Time Differences?

What if your phone’s clock is a little slow or fast?

That is not a problem. Most servers allow a small "time difference" when checking the generated code. They accept codes that are a little early or a little late (usually by 30 seconds to 1 minute). By doing that, small clock mistakes won’t block you from logging in.

Quick Note: TOTP doesn’t care about your time zones; it only cares about your current UTC (Universal Coordinated Time) time. So even if you are 10-12 hours ahead of your server’s locations, it doesn’t matter.

Why is This Method Secure?

• The secret key is only shared once, at setup.
• The secret key never travels over the internet again.
• The codes expire very quickly (usually 30 seconds).

Even if a hacker sees one code, it becomes useless after a short time. That’s why app-based 2FA is much safer than SMS-based 2FA, where codes can be stolen more easily.

A Quick Example:

• Secret Key --> DQ9UGNJ4W
• Current Time --> 04:12:56 PM

At this time, your app uses "DQ9UGNJ4W" and 04:12:56 PM to make a new 6-digit code. On the other hand, the server does the same thing. If the results match, you're in.

No internet is needed for the app. Only simple math and time.