---
layout: default
title: Time-based One-Time Password
parent: Configuration
nav_order: 16
---

# Time-based One-Time Password

Authelia uses time based one-time passwords as the OTP method. You have
the option to tune the settings of the TOTP generation, and you can see a
full example of TOTP configuration below, as well as sections describing them.

## Configuration
```yaml
totp:
  issuer: authelia.com
  period: 30
  skew: 1
```

## Options

### issuer
<div markdown="1">
type: string
{: .label .label-config .label-purple } 
default: Authelia
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Applications generating one-time passwords usually display an issuer to
differentiate applications registered by the user.

Authelia allows customisation of the issuer to differentiate the entry created
by Authelia from others.

## Period and Skew

The period and skew configuration parameters affect each other. The default values are
a period of 30 and a skew of 1. It is highly recommended you do not change these unless
you wish to set skew to 0.

The way you configure these affects security by changing the length of time a one-time
password is valid for. The formula to calculate the effective validity period is
`period + (period * skew * 2)`. For example period 30 and skew 1 would result in 90
seconds of validity, and period 30 and skew 2 would result in 150 seconds of validity.


### period
<div markdown="1">
type: integer
{: .label .label-config .label-purple } 
default: 30
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Configures the period of time in seconds a one-time password is current for. It is important
to note that changing this value will require your users to register their application again.

It is recommended to keep this value set to 30, the minimum is 1.

### skew
<div markdown="1">
type: integer
{: .label .label-config .label-purple } 
default: 1
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Configures the number of one-time passwords either side of the current one that are
considered valid, each time you increase this it makes two more one-time passwords valid.
For example the default of 1 has a total of 3 keys valid. A value of 2 has 5 one-time passwords
valid.

It is recommended to keep this value set to 0 or 1, the minimum is 0.

## System time accuracy

It's important to note that if the system time is not accurate enough then clients will seemingly not generate valid
passwords for TOTP. Conversely this is the same when the client time is not accurate enough. This is due to the Time-based
One Time Passwords being time-based.

Authelia by default checks the system time against an [NTP server](./ntp.md#address) on startup. This helps to prevent
a time synchronization issue on the server being an issue. There is however no effective and reliable way to check the
clients.