TOTP Generator
Paste a Base32 secret and get a live TOTP code — the same algorithm used by Google Authenticator and 1Password. Runs entirely in your browser.
Same format apps like Google Authenticator and 1Password store.
How to use TOTP Generator
- Find the Base32 secret a site gives you when enrolling in two-factor authentication — it is the string behind the "can't scan the QR code?" link.
- Paste that secret into the input box. Spaces and lowercase letters are handled automatically.
- Read the current 6-digit TOTP code shown in large digits.
- Watch the progress bar — the code refreshes every 30 seconds, the standard TOTP window.
- Copy the code and enter it into the site before the timer runs out.
How time-based one-time passwords (TOTP) work
When a website asks you to enable two-factor authentication and shows a QR code, it is almost always setting up TOTP — the Time-based One-Time Password algorithm defined in RFC 6238. This is the same mechanism behind Google Authenticator, Authy, 1Password, and Microsoft Authenticator. This tool implements that exact algorithm in your browser so you can see a live code from any Base32 secret.
The algorithm in plain terms
TOTP combines two ingredients: a shared secret (the Base32 string behind the QR code) and the current time. The steps are:
- Take the number of seconds since 1 January 1970 and divide by 30 to get a counter that ticks once every 30 seconds.
- Compute an HMAC-SHA1 of that counter using the shared secret as the key.
- Apply "dynamic truncation" to pull a 31-bit number out of the HMAC, then take it modulo 1,000,000 to land on a 6-digit code.
Because the server holds the same secret and reads the same clock, it runs the identical calculation and expects the identical code — with no message ever passing between you and the server. That offline property is what makes TOTP resilient and easy to deploy.
TOTP versus HOTP
TOTP is built on top of HOTP (RFC 4226), the original HMAC-based one-time password. The only difference is the moving part: HOTP uses an event counter that increments each time you request a code, while TOTP uses time itself as the counter. Time-based codes win in practice because there is nothing to keep in sync except the clock, and clocks are easy to synchronize.
The 30-second window and clock skew
The default period is 30 seconds, which is why this tool shows a draining progress bar. A short window means a code intercepted by an attacker is useless almost immediately. Servers usually accept the code from the adjacent window too, to tolerate small clock differences between your device and theirs. If your codes are consistently rejected, the culprit is nearly always an inaccurate device clock — sync it to network time and try again.
Good practices for two-factor authentication
- Save your backup codes. If you lose access to your TOTP secret you can be locked out; recovery codes are your fallback.
- Keep the secret secret. Anyone who copies your Base32 secret can generate your codes forever, so protect it like a password.
- Prefer a hardware key for high-value accounts. FIDO2/WebAuthn keys resist phishing in ways that typed TOTP codes cannot.
- Use this tool for testing and backups — and a dedicated app or device as your everyday authenticator.
Related security tools
- Password Generator — the first factor that a TOTP code is meant to back up; make it strong and unique.
- Random Token Generator — produces the same kind of high-entropy shared secret that seeds a TOTP enrollment.
- Passphrase Generator — a memorable master credential for the vault where you keep your 2FA backup codes.
Frequently asked questions
What is TOTP and how does it work?
What is the difference between TOTP and HOTP?
Why does the code change every 30 seconds?
Is this as safe as my phone's authenticator app?
Is my secret sent anywhere?
My code is rejected — what went wrong?
Does this support hardware security keys?
What is the Base32 secret and why that encoding?
Related tools
More tools you might find useful in the same flow.
PIN Generator
PIN generator — create random 4, 6, or 8 digit PIN numbers (or any length) with real cryptographic randomness, one at a time or in bulk. Free and instant.
Password Generator
Free password generator using your browser's SubtleCrypto. Pick length, character classes, and exclude lookalikes. Passwords never leave the page.
API Token Generator
Random token generator — create secure API keys, session IDs, and secrets in hex or Base64URL using crypto-grade randomness. Free, made in your browser.
Passphrase Generator
Diceware passphrase generator — create memorable, strong passphrases from a word list with adjustable length and separators. Generated locally, in private.
Built by Muhammad Tahir · About