As the metaverse evolves and prospers, identity theft is becoming a critical security concern. Traditional PIN-based authentication methods are vulnerable to physical attacks such as video recording or the use of pen and paper. To address this open research issue, researchers are exploring new and more effective VR authentication methods. This paper proposes a time-based one-time password (TOTP) authentication proof of concept for VR users, namely TOTPAuth. TOTPAuth protects VR users against identity theft under two threat models — pen-and-paper and video recording. We conducted empirical evaluations of TOTPAuth, and our results show that it is a highly effective defense against attackers’ attempts to observe and steal user identities. However, there are some trade-offs to consider, like a lower entry accuracy and a longer entry time. For readers interested in exploring TOTPAuth further, the source code is available on GitHub at https://github.com/lpy0927/TOTPAuth/tree/master.