TOTP (Time-based One-Time Password, RFC 6238) is the algorithm behind authenticator apps like Google Authenticator, Authy, 1Password, and Microsoft Authenticator. The app and the server share a secret. The app generates a new 6-digit code every 30 seconds based on the secret and the current time. The user enters the code as a second factor.
TOTP is stronger than SMS-based MFA (no SIM-swap risk) and works offline. Setup requires scanning a QR code once, after which the authenticator app generates codes locally.
For customer portals, TOTP is a reasonable default second factor for users who don’t have passkeys available.