TOTP Setup: Secure Your Accounts in 5 Steps

Introduction

Setting up two-factor authentication can feel overwhelming if you've never worked with TOTP codes before. If you've seen those rotating six-digit codes and wondered how they work—or why they're so important—this guide is for you.

What is TOTP and Why Should You Use It?

Time-based One-Time Passwords, or TOTP, are a form of two-factor authentication (2FA) designed to keep your accounts far more secure than just using a password. If you've ever used Google Authenticator or similar apps, you're already familiar with TOTP—scan a QR code, get a code that changes every 30 seconds, and use that code to log in.

Why use TOTP over text or email-based codes? SMS or email options are tied directly to your phone number or email account, both of which can be compromised (think SIM-swapping or hacked email). TOTP, on the other hand, revolves around a 'secret seed' unique to each account, making it both secure and easy to backup or share if needed.

Understanding the Secret Seed

The core of TOTP is a secret key, called the secret seed. This never changes for your account. Once you enter (or scan) this seed into an authenticator app, the app generates those six-digit codes every 30 seconds. As long as you have that seed, you can create the codes—even on multiple devices. But if someone else gets access to it, they could generate codes and log in as you, so keep it protected.

Why Use a Password Manager like Bitwarden for TOTP?

Many services offer their own proprietary authenticator apps, but there’s no need to use something that locks you in. Here’s where tools like Bitwarden shine. Instead of restricting your codes to a single device, Bitwarden (and similar password managers) let you store secret seeds securely and sync them across your devices. Lose your phone? No problem—you haven't lost access, and getting back in is as simple as logging into your password manager.

How to Set Up TOTP–Step by Step

Step 1: Enable 2FA On Your Account

Log in to your service and find the two-factor authentication (2FA) settings (in this walk-through, I used Zoho). Look for the option to use an authenticator app or OTP.

Step 2: Locate the Secret Seed or QR Code

Some services will give you the secret seed as a text code, others only as a QR code. If you get the text, you can copy it; if it's a QR code, you can scan it with your phone to reveal the seed.

Step 3: Store the Seed in Your Password Manager

Open your password manager and create or edit the login for the service. Find the field for the authenticator key (sometimes called TOTP or 2FA key), and paste in the seed. Save your changes. Now, your password manager will start generating the same rolling six-digit codes.

Step 4: Complete the Setup

Go back to the 2FA setup in your service, and enter the current code generated in your password manager. Hit verify. That’s it—you’re set up!

Step 5: Save Your Backup Codes

Most services offer backup codes in case you lose your device or seed. Copy these. If you’re using a password manager, store them as a secure note alongside your login. You can also write them on paper as a failsafe.

Sharing Access When Needed

Sometimes you’ll need a contractor or team member to access an account. Instead of forwarding emails or texts (which is risky), share the TOTP seed with them securely. They can import it into their authenticator app or password manager and generate codes independently—no need to share your phone or email.

What To Do If You Only Get a QR Code

If a service offers only a QR code and not the text seed, scan it with your phone’s authenticator app to get the key, or use your phone's camera app to extract the text from the QR code. The extracted text is the seed. Paste that into your password manager, and you’re all set.

Final Thoughts

TOTP-based two-factor authentication is a simple, robust way to secure your accounts—far better than relying on email or SMS codes. Using a cross-platform password manager makes it easy to sync, backup, and even share your codes securely as your needs change.