What is TOTP (Vault)?

TOTP in Zoho Vault refers to the storage and auto-fill of Time-based One-Time Passwords alongside their associated Secret, enabling two-factor

TOTP (Vault) | Aaxonix

Technical Term

Storing a TOTP seed in Zoho Vault alongside the password creates a single authoritative location for both authentication factors. This solves the coordination problem where one team member holds the password in Vault and another holds the TOTP on their personal phone, making shared account access unnecessarily fragmented.

How TOTP Works in Zoho Vault

When you enable TOTP on a Secret, you enter the TOTP seed key provided by the target service (the same key you would scan as a QR code in Google Authenticator). Vault stores this seed encrypted alongside the Secret. At login time, the Vault browser extension can fill both the password and the current 6-digit TOTP code into the appropriate fields. The TOTP code regenerates every 30 seconds according to the RFC 6238 standard, same as any other authenticator app.

When to Use TOTP

Add a TOTP seed to a Secret whenever the associated service requires two-factor authentication and the account is shared by more than one person. This avoids binding the second factor to a single team member’s phone. It is equally useful for individual accounts if you want both factors centralised in your vault rather than split across Vault and a mobile authenticator. Avoid storing TOTP in Vault for accounts where security policy explicitly requires the second factor to remain on a separate physical device.

Key Considerations for TOTP

Storing both factors in the same vault reduces the security separation that two-factor authentication is designed to provide. This is a deliberate usability tradeoff and is appropriate for shared team accounts where distributing a phone is impractical. For individual accounts with high security requirements, keep TOTP on a hardware token or separate authenticator app. Ensure your Vault account itself is protected with strong MFA, because it now holds both factors for every linked service. Back up TOTP seeds when initially setting them up, as the target service may not allow re-scanning the QR code later.

India Example: A Pune digital marketing agency stores the TOTP seed for a shared Google Ads account in the same Vault Secret as the password. Three team members can log in independently using the Vault extension without asking a colleague to share a phone code, and all TOTP usage is captured in the audit log.

Does sharing a Secret in Zoho Vault automatically share the TOTP code with the recipient?

Yes. When you share a Secret that has a TOTP seed attached, the recipient can also view and auto-fill the TOTP code, subject to the permission level granted. If the recipient has view-only access, they can use the TOTP code to log in but cannot modify the seed. This makes TOTP sharing as simple as Secret sharing, with the same access controls applying to both factors.

What happens to the TOTP seed if a Secret is deleted from Zoho Vault?

The TOTP seed is stored as part of the Secret record and is deleted along with it. If the Secret is soft-deleted, an admin can restore it with the seed intact within the retention period. If permanently deleted, the seed is gone. Before deleting any Secret with a TOTP seed, disable or re-configure two-factor authentication on the target service first, otherwise you may lose access to that account permanently.

Need help implementing this in Zoho?

Aaxonix is a certified Zoho implementation partner based in Pune. Architecture-first, no surprises.

Book a Free Consultation →

← Back to Glossary