TOTP / 2FA Code Generator

Time-based One-Time Passwords (TOTP) are a cornerstone of modern two-factor authentication (2FA). Defined by RFC 6238, TOTP generates short-lived numeric codes from a shared secret key and the current time. These codes typically refresh every 30 seconds and are used as the second factor in login flows, providing strong protection against credential theft and phishing attacks.

How TOTP Works

The TOTP algorithm takes a shared secret key (usually Base32-encoded) and combines it with a time counter. The time counter is calculated by dividing the current Unix timestamp by the period (default 30 seconds). This counter is then passed through HMAC-SHA1 with the secret key to produce a hash. A dynamic truncation extracts a numeric code (typically 6 digits) from the hash. Because both the server and the authenticator app share the same secret and use the same time reference, they independently generate matching codes without any network communication.

Base32 Encoding

TOTP secrets are encoded in Base32 (RFC 4648) using the characters A-Z and 2-7. Base32 is preferred over Base64 for secrets because it is case-insensitive, avoids confusing characters, and is easier to type manually. A typical secret is 16-32 characters long, providing 80-160 bits of entropy. This tool accepts Base32 secrets with or without padding characters (=).

The otpauth:// URI

The otpauth://totp/ URI scheme is the standard for provisioning TOTP secrets into authenticator apps. The URI encodes the issuer, account name, secret, algorithm, digits, and period. When rendered as a QR code, users can scan it with apps like Google Authenticator, Authy, Microsoft Authenticator, or 1Password. This tool generates both the URI and a scannable QR code for easy setup.

Security Considerations

TOTP codes are time-sensitive and expire quickly, making them resistant to replay attacks. However, the shared secret must be protected. If an attacker obtains the Base32 secret, they can generate valid codes. Always store secrets securely using encrypted vaults or hardware security modules. This tool processes everything client-side using the Web Crypto API for HMAC-SHA1 computation, ensuring your secret key never leaves your browser or touches any server.

6-Digit vs 8-Digit Codes

Most services use 6-digit codes, which provide one million possible values per time step. Some high-security applications use 8-digit codes for 100 million possibilities. The period (typically 30 or 60 seconds) determines how often codes change. Shorter periods increase security but may cause usability issues with slow typists. Most implementations accept codes from the previous and next time steps to account for clock drift.

Common TOTP Implementations

TOTP is supported by virtually every major service including Google, GitHub, AWS, Microsoft, Dropbox, and thousands more. Popular authenticator apps include Google Authenticator, Authy, Microsoft Authenticator, 1Password, and Bitwarden. Hardware tokens like YubiKey also support TOTP. This tool is useful for developers testing TOTP integration, verifying secret key setup, or generating codes when an authenticator app is not available.

100% Client-Side Processing

All TOTP generation in this tool happens entirely in your browser. The HMAC-SHA1 computation uses the Web Crypto API, and the Base32 decoding is implemented in pure JavaScript. No data is transmitted to any server. Your secret keys and generated codes never leave your device, making this tool safe to use with production secrets.