# Single vs Multiple TOTPs

During TOTP authentication, Mosaic uses the TOTP authenticator to validate codes that are generated by the authenticator app. Depending on the app settings, a user can register one authenticator per application or multiple authenticators—up to 50 per user per app (**Admin Portal** > **B2C Identity** or **B2B Identity** > app > **Authentication methods** > **TOTP** > **Max TOTPs**).

Note
For step-by-step implementation instructions, refer to guides:

- [Login with TOTP (journey-based)](/guides/user/auth_totp_journey)
- [Login with TOTP (backend-initiated APIs)](/guides/user/be_auth_totp).


## Registration

Depending on **Max TOTPs** setting, Mosaic applies custom logic to registering new TOTPs.

### Single-TOTP configuration

- Registers a TOTP unless a user has another active TOTP.
- If there is a TOTP associated with the user, Mosaic can either block registration or override the existing TOTP:
  - For journey-based integrations, this behavior is defined in the [Register TOTP](/guides/orchestration/journeys/register_totp) step > **Single-TOTP behavior**.
  - For API integrations, this behavior is defined by the `allow_override` parameter in the [Register TOTP API](/openapi/user/backend-totp.openapi/other/registertotp#other/registertotp/request/body) call.


### Multiple-TOTP configuration

- Registers a new TOTP as long as the user has not reached the limit.
- Once the limit is reached, Mosaic will always block registration of new TOTPs.


## Authentication

During authentication, Mosaic validates the passcode against all active TOTPs. The authentication succeeds if it matches any of available authenticators.

## Revocation

Mosaic allows revoking TOTP authenticators via:

- [Revoke my TOTP API](/openapi/user/backend-totp.openapi/other/revoketotp) call
- [Revoke TOTP API](/openapi/user/backend-totp.openapi/other/revoketotpmanagement) call
- [Revoke my TOTP](/guides/orchestration/journeys/revoke_my_totp) journey step