🔒 TOTP / 2FA Generator
Generate secrets, scan QR codes, verify 6-digit codes. RFC 6238 compliant.
Last updated: May 18, 2026 · By Λ
Configuration
QR Code (scan with any authenticator app)
Current Code
Verify Code
By Λ · Updated May 18, 2026 · ~3 min read
What TOTP is and why it works
TOTP stands for Time-based One-Time Password. It is the standard behind every "6-digit code from your authenticator app" prompt you have ever seen. Specified in RFC 6238 (2011), it takes a shared secret and the current time, computes an HMAC, and truncates the result to a 6-digit code. Both your phone and the server compute the same code from the same inputs, so neither has to send the code anywhere.
The reason TOTP is more secure than SMS-based 2FA: there is no second factor to intercept. SIM-swapping attacks, SS7 vulnerabilities, and SMS forwarding all break SMS 2FA. TOTP is offline, lives on your device, and rotates every 30 seconds.
How to use this tool
To set up TOTP for an app you are building: hit "New" to generate a fresh Base32 secret, set the issuer and account fields to something recognizable, and scan the QR code with your authenticator. The current code updates every 30 seconds. Store the secret server-side (encrypted at rest) and verify codes by recomputing them with the same algorithm.
To verify a code: type the 6-digit number from your authenticator into the verify field. The tool also accepts the previous time window (30 seconds ago) and the next one to handle clock drift, which is how real implementations work.
Implementation notes for developers
Default parameters. 6 digits, 30-second period, SHA-1 algorithm. Almost all authenticator apps assume these defaults and silently break if you change them. SHA-256 and SHA-512 are part of the spec but rarely supported in mobile apps; stick with SHA-1 for compatibility.
Secret length. RFC 6238 recommends at least 128 bits (16 bytes / 26 Base32 characters). The "new" button generates 20 bytes (32 Base32 chars) which is what Google Authenticator uses.
Clock drift. Real implementations check the previous and next time windows to allow ~60 seconds of skew. Strict implementations only check the current window, which causes "code is correct but server says wrong" complaints.
Replay protection. Once a code is used, remember it for at least the current window and reject reuse. Otherwise an attacker who captures one code can replay it.
Privacy
Secret generation and every HMAC run through the Web Crypto API right on this page, which means the key material you create here is never transmitted to this site or to anyone else. The QR code is rendered with a hand-rolled QR encoder, not generated by an external service. Do not, however, share the QR code or secret with anyone you do not trust to log in as you.
FAQ
Can I paste a secret from an existing account instead of generating one?
Yes. The Base32 field accepts any secret you already have. Lowercase letters, spaces, and stray punctuation are tolerated because the decoder uppercases the input and strips every character outside A-Z and 2-7 before computing codes.
Why does my authenticator show a different code than this page?
Check the three dropdowns first. Digits (6, 7, or 8), period (30 or 60 seconds), and algorithm (SHA-1, SHA-256, SHA-512) all change the output, and many apps quietly ignore non-default values when importing. If the parameters match, compare your device clocks; a skew larger than one period guarantees disagreement.
What exactly does the Verify button check?
It recomputes the code for the previous, current, and next time windows against the configured secret and reports which offset matched. A code up to one period old (or one period early) still passes, mirroring how tolerant servers behave.
What is in the otpauth URI shown under the configuration?
It is the otpauth://totp/ string that the QR code encodes: secret, issuer, account label, algorithm, digit count, and period in one line. Anyone who reads it can derive your codes, so treat the URI with the same care as the secret itself.
Related
For hashing passwords (different problem), see the password hashing in 2026 blog post. For other security utilities, see the hash generator and JWT decoder.