Where Do Those 6-Digit Codes Come From? OTP and Two-Factor Authentication Explained

7 min read

Log in to a banking app or a work system and there is often one more step after your password: open an authenticator app and type in a 6-digit code that changes every 30 seconds. But where does that number come from? Your phone produces code after code without ever appearing to talk to a server, and the numbers keep refreshing even in airplane mode. In this post, we will unpack what that 6-digit code really is and what two-factor authentication actually protects you from — no code involved.

What two-factor authentication blocks #

Passwords leak more often than you would think. Attackers try passwords stolen from other sites, and people get tricked into typing theirs into fake login pages. An account protected by nothing but a password is finished the moment that one credential leaks.

Two-factor authentication is not about adding a second lock — it is about adding a different kind of lock. A password is “something you know,” stored in your head. A phone with an authenticator app is “something you have,” held in your hand. Even if an attacker learns your password, they have not gotten hold of your phone, so the door stays shut. Both have to fail at once, which means the account survives even when one side leaks. By the way, what happens after the password check — how a site keeps you logged in — is a separate story we covered in cookies, sessions, and tokens.

What actually happens when you scan that QR code #

When you turn on two-factor authentication, you scan a QR code on the screen with your authenticator app. What this step really does is surprisingly simple: a secret key gets shared between the server and your phone.

Inside the QR code is a long random string created just for your account. The server stores this string in its vault, and the authenticator app on your phone saves the same string. From that moment on, only two parties in the world know this key: the server and your phone. The QR code is merely a way to copy the long string by camera instead of typing it — if you tap “enter a setup key instead,” you can type the same string by hand.

That means the QR code is not a one-time ticket; it is a copy of the original key. Anyone with a screenshot of that setup screen can hold the same key, so once registration is done, it is safer not to keep that QR code screen around.

How the 6-digit code is made #

Now for the main event. The server and your phone hold the same secret key, and both have a clock. That is all it takes.

The authenticator app feeds the secret key and the current time into a fixed formula. From the long value that comes out, it slices off 6 digits — that is the number on your screen. The server does exactly the same thing when it verifies: it takes the secret key from its vault and the current time from its own clock, runs the same formula, produces 6 digits, and compares them with what you typed. Same ingredients, same recipe, same answer. That is the whole secret behind both sides conjuring up the same number as if they had agreed in advance.

Time is chopped into 30-second blocks. From 10:00:00, the next 30 seconds all count as the same moment, and then the clock rolls into the next block. That is why the code changes every 30 seconds. This scheme is called a time-based one-time password — TOTP for short — but you do not need to memorize the name. The idea is what matters: a disposable answer manufactured from a clock.

The formula only works in one direction. Turning the secret key into 6 digits is easy, but working backward from those 6 digits to the secret key is practically impossible. So even if someone reads the current code over your shoulder, they cannot know what the code will be 30 seconds from now.

Why it works without internet #

You may have noticed the codes keep refreshing even in airplane mode and wondered how. Once you know the mechanism, it is obvious. The phone does not fetch the number from a server — it computes the number itself, from the secret key stored inside it and its own clock. The server computes its own copy separately. The two never talk; they each do the math and simply check whether the answers match. That is why the authenticator app works abroad with no data plan and in a basement with no Wi-Fi.

The one remaining worry is the clock. If your phone’s clock drifts from the server’s, the two calculations will diverge — but there is slack built in. Servers typically accept the answers from the adjacent 30-second blocks as well, so unless your clock is off by close to a minute, you still pass. When an app keeps rejecting your codes and the help page tells you to set your phone’s date and time to automatic, that is exactly what that step is fixing.

How is this different from SMS codes? #

Getting a verification code by text message looks like the same “something you have” check. But there is a crucial difference. An SMS code is a number the server creates and delivers across the phone network; an authenticator code is a number born inside your phone.

Delivery creates an opening for interception. The classic attack is SIM swapping: a fraudster talks the carrier into moving the victim’s phone number onto their own SIM, and from that moment the verification texts are delivered to the attacker’s phone. Your phone number feels like your property, but it is really a setting managed by the carrier — and if that setting is hijacked, the “something you have” factor goes with it. An authenticator app has no such route to attack. The secret key never leaves the phone and no number is ever delivered, so stealing your phone number gets the attacker nowhere near those 6 digits. SMS verification is far better than nothing, but when you have the choice, this is why the authenticator app comes out ahead.

Why they tell you to save your backup codes #

When you enable two-factor authentication, the service shows you a handful of backup codes and tells you to store them somewhere safe. It is tempting to skip past, but once you know the mechanism, you cannot. The secret key lives only inside your phone, so lose the phone and you lose the key with it. You may remember your password perfectly, yet have no way through the “something you have” step — locked out of your own account.

Backup codes are the emergency keys for exactly that day. Each one works once and then expires, and it gets you through that step without the authenticator app. Keeping them on the phone defeats the purpose, so the trick is to write them on paper and store them separately, or keep them somewhere that does not share the phone’s fate, like a password manager. The same caution applies when switching phones: wipe the old phone before finishing the authenticator transfer to the new one, and you end up in the same lockout.

The next step: passkeys #

The passkeys you increasingly see on login screens are the next step in this evolution. They let you sign in with no password at all — just a key stored on your phone or computer plus your fingerprint or face. There is no 6-digit code to copy over, and no number that a fake site could trick you into typing. Not every service supports them yet, so for now, a password plus an authenticator app remains the most practical baseline.

Wrapping up #

To sum up: two-factor authentication layers “something you know” on top of “something you have,” so the account holds even when one side leaks. Scanning the QR code is the ritual of sharing a secret key between the server and your phone, and the 6-digit code is the answer both sides get by feeding that key and the current time into the same calculation. Because each side computes on its own with no communication, it works in airplane mode — and because nothing is delivered, it is safer than SMS codes. The next time your authenticator code runs out its 30 seconds and flips to a new number, remember that behind the scenes, your phone and a server somewhere are thinking of the same answer.

X