MoatMoat
Moat Learn

Guides to staying secure.

Clear, jargon-free explainers on two-factor authentication, encryption, and protecting your accounts — written by the people building Moat.

◆ SecurityFeatured · 9 min read

How TOTP works: the math behind your six-digit codes

Every 30 seconds your authenticator produces a fresh code a server accepts — without the two ever talking. We unpack the shared secret, HMAC, dynamic truncation, and the 30-second window, from first principles.

Read the deep-dive →
How a TOTP code is generated from a shared secret and the current time

All guides

How a TOTP code is generated from a shared secret and the current time
Security

How TOTP works: the math behind your codes

The shared secret, HMAC-SHA1, dynamic truncation and clock drift — explained without the hand-waving.

Jun 8, 20269 min read
App-based 2FA codes versus interceptable SMS codes
Basics

Why app-based 2FA beats SMS codes

SIM swapping, SS7 interception and phishing make text codes the weakest second factor. Here's the safer path.

Jun 8, 20266 min read
Zero-knowledge encryption keeps only ciphertext in the cloud
Security

What “zero-knowledge” actually means

“Encrypted” isn't one thing. Here's the difference between holding the keys and genuinely not being able to read your data.

Jun 8, 20265 min read
Recovering your 2FA accounts on a new phone
Guide

Recovering your 2FA after losing your phone

What to set up before — and do after — your phone goes missing, so a lost device never means a lockout.

Jun 8, 20267 min read
What is two-factor authentication?
Basics

What is two-factor authentication (2FA)?

The three factors, the types of 2FA ranked by safety, and how to set it up in about a minute per account.

Jun 11, 20266 min read
Choosing a Google Authenticator alternative
Switching

Choosing a Google Authenticator alternative

The six-point checklist that matters in any authenticator — and how to move every account over in one scan.

Jun 11, 20267 min read
Move your 2FA codes to a new phone
Guide

How to move your 2FA codes to a new phone

The pre-flight checklist and transfer steps that make switching phones painless — without a lockout.

Jun 11, 20266 min read
Passkeys vs 2FA — what's the difference?
Security

Passkeys vs 2FA: what's the difference?

Passkeys replace passwords; 2FA strengthens them. Where each wins, and why most people will run both.

Jun 11, 20266 min read

Protect every account in minutes.

Put what you've learned into practice. Free to start, encrypted on your device, yours alone.

Get Moat free