TOTP Two-Factor Authentication for Mobile Crypto App

NOVASOLUTIONS.TECHNOLOGY is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
TOTP Two-Factor Authentication for Mobile Crypto App
Medium
~2-3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Two-Factor Authentication (TOTP) in Crypto Mobile App

TOTP (Time-based One-Time Password, RFC 6238) — standard implemented by Google Authenticator, Authy, most corporate 2FA apps. For crypto app, mandatory minimum: SMS codes interceptable via SIM-swap, TOTP — no.

How TOTP Works

Algorithm: HMAC-SHA1 from current time (30-second window) and shared secret. Shared secret generated at 2FA setup and stored both server and user (in authenticator app). No network transmission per auth — just code verification.

On backend verification via: pyotp (Python), otplib (Node.js), google-authenticator (Java). On mobile client, code entered manually from authenticator — no additional TOTP logic needed.

Embedding 2FA in Login Flow

Classic flow: login/password → server check → if user has 2FA enabled, return temporary token → mobile shows TOTP entry screen → server verifies code and issues full JWT.

sealed class LoginState {
    object Idle : LoginState()
    object Loading : LoginState()
    data class TwoFactorRequired(val tempToken: String) : LoginState()
    data class Success(val authToken: String) : LoginState()
    data class Error(val message: String) : LoginState()
}

class LoginViewModel(private val authRepository: AuthRepository) : ViewModel() {
    val state = MutableStateFlow<LoginState>(LoginState.Idle)

    fun submitTOTP(code: String, tempToken: String) {
        viewModelScope.launch {
            state.value = LoginState.Loading
            authRepository.verifyTOTP(code, tempToken)
                .onSuccess { token -> state.value = LoginState.Success(token) }
                .onFailure { e ->
                    state.value = LoginState.Error(
                        if (e is InvalidCodeException) "Wrong code" else "Server error"
                    )
                }
        }
    }
}

2FA Setup by User

Important step — onboarding. Show QR code for scanning in Google Authenticator / Authy, plus text secret for manual entry. QR contains otpauth:// URI:

otpauth://totp/CryptoApp:[email protected]?secret=BASE32SECRET&issuer=CryptoApp&algorithm=SHA1&digits=6&period=30

On Android generate QR via zxing-android-embedded or qrcode-kotlin. On iOS — CoreImage.CIFilter.qrCodeGenerator.

After scanning — mandatory verification: user enters first generated code, backend checks before saving 2FA. Prevents situation where QR poorly scanned and user locked immediately after setup.

Backup Codes

Without backup codes, 2FA in crypto app — risk of irreversible access loss. Generate 8–10 one-time codes on 2FA activation. Backend stores as bcrypt hashes. Mobile shows once with ability to copy or download as text file.

Backup code implementation requires separate login flow branch: TOTP input field — offer switch to "Use backup code". After use — code invalidated, user warned about remaining count.

2FA Screen Protection

Critical in crypto apps: 2FA input screen shouldn't allow screenshots. On Android:

window.addFlags(WindowManager.LayoutParams.FLAG_SECURE)

On iOS UIScreen doesn't prevent screenshots directly, but can hide content on applicationWillResignActive. For input field — isSecureTextEntry = true so text not visible in autofill.

TOTP 2FA integration (setup, login flow, backup codes, screen protection) — 1–2 weeks. Cost estimated individually.