TOTP Generator
Generate time-based one-time passwords (RFC 6238) from a base32 secret in real time. Compatible with Google Authenticator, Authy, 1Password, and any standard 2FA service.
— — — — — —
Previous
—
Next
—
About TOTP
TOTP (Time-based One-Time Password, RFC 6238) is the algorithm behind Google Authenticator, Authy, and the "verification code" you type during two-factor authentication. The server and client share a secret; both compute the current code from HMAC(secret, floor(unix_time / step)) and truncate it to 6 digits. Because the input is the current time, the code changes every 30 seconds without any network round-trip.
How It Works
- The server generates a random secret (typically 160 bits) and shows you a base32 representation or an
otpauth://QR code. - Your authenticator app decodes the base32 secret and stores it.
- Every 30 seconds, both the server and your app compute
HMAC-SHA1(secret, time / 30)and apply dynamic truncation to extract a 6-digit code. - You enter that code when logging in. The server accepts the current window — and usually the previous one — to tolerate small clock drift.
Common Compatibility
- Google Authenticator, Authy, 1Password, Microsoft Authenticator: SHA-1, 6 digits, 30 s — the universal default.
- Some banking and enterprise tools: SHA-256 or SHA-512, 7 or 8 digits.
- HOTP (RFC 4226): counter-based instead of time-based. Used by some hardware tokens; this tool does TOTP only.
Frequently Asked Questions
All HMAC and base32 decoding happens in your browser via the Web Crypto API. The secret is never transmitted. That said, your TOTP secret is the same kind of credential as a password — only paste it into tools and devices you trust. For production 2FA, store the secret in a dedicated authenticator app or hardware token, not a web tool.
HOTP (RFC 4226) uses a counter that increments with each use. TOTP (RFC 6238) uses the current Unix time divided by a step (usually 30 s) as the counter — so the code changes automatically. TOTP is what Google Authenticator, Authy, and most 2FA flows use.
Almost always a clock skew. TOTP requires both ends to agree on Unix time within a few seconds. If your computer's clock is off by more than ~30 s, codes will be wrong. Servers usually accept the previous and next windows to tolerate small skew.
Defaults — SHA-1, 6 digits, 30 s step — are what almost every service uses. Some (Microsoft Authenticator, banking apps) use SHA-256 or 8 digits. The secret's source (
otpauth:// URI or QR code) usually tells you which parameters to pick.Yes — paste the full
otpauth://totp/... URI into the secret field. The parser extracts the secret and parameters automatically.