Breadcrumbs

Time-based one-time password

The Time-based One-time Password (TOTP) block generates a unique, secure authentication code based on a Secret Key. It is used in MFA authentication flows where a time-based one-time password is required to complete a login or verification step.

Notes:

  • The user must be able to generate Secret Key for the account they’d like to use for TOTP MFA for one time setup.

  • The user must be able to install either one of the renowned providers authenticator apps.

  • Due to Okta’s removal of manual secret key enrollment, it is not possible to perform automated actions involving Okta, as users and third-party tools no longer have access to the shared secret required to generate valid TOTP codes.

Fully expanded, the TOTP block block shows the following properties:

image-20260129-093337.png

Note: The screenshot on this page uses the Elegance Design, introduced in 2025.3. If you are using an earlier version, your layout may look different.

Quick-start

  1. Drag Time-based One-time Password onto the canvas.

  2. Provide the Secret (either type it directly or connect it to the Secret input connector), select Algorithm, and connect Result Code to the next block that needs the TOTP value. Optionally adjust Timeout (sec) and Code size (digits).

  3. Run the flow when it’s ready.

Building block parameters

Parameters

  • Block header: Shows the current title of the block. You can rename it by double-clicking the header and typing a new title.

  • Secret: Holds the Secret Key used to generate the TOTP code. You can either enter the Secret Key directly or pass it in through the Secret input connector.

  • Result Code: The generated TOTP code. Connect the Result Code output connector to the next step that requires the MFA code.

  • Algorithm: Specifies which cryptographic algorithm is used to generate the TOTP code. The selected algorithm must match the one configured for the account’s TOTP setup; otherwise the generated code will not be accepted, even if the Secret is correct. The block follows RFC 6238 and supports these options:

    • SHA1: Default option and the most commonly supported choice.

    • SHA256: Use this when the account or MFA provider is configured to use SHA256.

    • SHA512: Use this when the account or MFA provider is configured to use SHA512.

  • Timeout (sec): Defines how long a generated authentication code remains valid before it expires. The default value is 30 seconds.

  • Code size (digits): Sets the number of digits in the generated authentication code. The default is 6 digits, and the allowed range is 1 to 10 digits.

Resources

Topic

Description

Flows FAQ

Common questions about creating, running, and managing flows in Leapwork.

Flows Troubleshooting

Guidelines and solutions for identifying and fixing issues that occur when building or running flows in Leapwork.