TOTP Generator

🔐 What is TOTP?

TOTP (Time-based One-Time Password) is a widely adopted algorithm for generating temporary passwords that change every 30 seconds. You've likely used it before — apps like Google Authenticator, Authy, and Microsoft Authenticator all rely on this technology to add an extra security layer to your accounts.

The beauty of TOTP lies in its simplicity: both the server and your device share a secret key, and using the current time as a reference, they independently calculate the same 6 or 8 digit code. No network connection required for code generation, making it reliable even offline.

⚙️ How This Tool Works

This generator implements the RFC 6238 TOTP standard with full compatibility for Google Authenticator and similar apps. Everything runs directly in your browser using WebAssembly — your secrets never leave your device.

🔥 Key Features:

  • Secret Generation: Create cryptographically secure random secrets in 16, 20, or 32 byte lengths
  • Multiple Algorithms: Support for SHA-1 (default), SHA-256, and SHA-512 hash functions
  • Flexible Time Steps: Choose between 15, 30, or 60 second intervals
  • Variable Digits: Generate standard 6-digit or extended 8-digit codes
  • QR Code Export: Instantly generate scannable QR codes for authenticator apps
  • Code Verification: Test OTP codes with configurable time tolerance
  • Debug Mode: Peek under the hood to see HMAC calculations and truncation steps
  • Fully Offline: All processing happens locally in WebAssembly

📊 Understanding the Algorithm

TOTP builds on HOTP (HMAC-based One-Time Password) by using time as the counter value. Here's what happens every time a code is generated:

Step 1: Calculate Time Counter

T = floor(Unix_Time / Time_Step)

The current Unix timestamp is divided by the time step (usually 30 seconds) to get a counter value that changes at predictable intervals.

Step 2: Generate HMAC

HMAC = HMAC-SHA1(Secret, Counter)

The shared secret and counter are combined using HMAC with the selected hash algorithm. This produces a cryptographic hash that's unique to this specific secret and time.

Step 3: Dynamic Truncation

The last nibble (4 bits) of the HMAC determines an offset. Four bytes starting at this offset are extracted and converted to a 31-bit integer.

Step 4: Generate OTP

OTP = Integer mod 10^digits

Finally, the integer is reduced to the desired number of digits using modulo operation. The result is zero-padded if needed.

🔑 About Secret Keys

The secret key is the foundation of TOTP security. It's shared between your authenticator app and the service you're protecting.

Secret Length Recommendations:

  • 16 bytes (128-bit): Minimum secure length. Good for most applications.
  • 20 bytes (160-bit): Standard length matching SHA-1 output. Most commonly used.
  • 32 bytes (256-bit): Maximum security. Recommended for high-value accounts.

Base32 Encoding

Secrets are encoded in Base32 format using characters A-Z and 2-7. This encoding is case-insensitive and avoids confusing characters like 0/O and 1/I, making manual entry more reliable.

📱 Algorithm Compatibility

SHA-1 (Default)

Compatibility: Universal — works with Google Authenticator, Authy, Microsoft Authenticator, 1Password, and virtually all TOTP apps

Note: While SHA-1 has known weaknesses for digital signatures, it remains secure for HMAC in TOTP context

SHA-256

Compatibility: Supported by Authy, 1Password, and most enterprise authenticators. Not supported by default Google Authenticator

Best for: Higher security requirements where you control both ends

SHA-512

Compatibility: Limited support. Works with specialized authenticators and custom implementations

Best for: Maximum security in controlled environments

Recommendation: Stick with SHA-1 for public-facing services to ensure maximum compatibility. Use SHA-256/512 only when you know your users' authenticator apps support them.

💼 Common Use Cases

1. 🧪 Development & Testing

  • Generate test secrets for 2FA implementation
  • Verify your server's TOTP validation logic
  • Debug time synchronization issues
  • Test different algorithm and digit configurations

2. 🔒 Security Administration

  • Generate secrets for service accounts
  • Create backup codes for emergency access
  • Verify user-reported OTP issues
  • Test time drift between server and clients

3. 📚 Education

  • Learn how TOTP works step by step
  • Visualize the HMAC and truncation process
  • Understand RFC 6238 implementation details
  • Compare different algorithm outputs

⏱️ Time Synchronization

TOTP depends on synchronized clocks between the code generator and validator. Here's what to know:

  • Time Source: This tool uses your device's system time via JavaScript
  • Tolerance Window: Most services accept codes within ±1 time step (±30 seconds by default)
  • Clock Drift: Mobile devices typically sync time automatically. Manual time settings can cause validation failures
  • Network Time: For production servers, always use NTP to maintain accurate time

The verification section lets you test with different tolerance levels — useful for understanding how time windows affect code acceptance.

❓ Frequently Asked Questions

Q: Why does Google Authenticator only show SHA1 codes?

A: Google Authenticator's default scanning only supports SHA-1 for broad compatibility. While the otpauth:// URI format supports algorithm parameters, many consumer apps ignore them. For SHA-256 or SHA-512, use apps like Authy, 1Password, or enterprise authenticators that explicitly support these algorithms.

Q: Is it safe to use this tool for real accounts?

A: Yes, but with understanding. This tool runs entirely in your browser — no data is transmitted anywhere. However, for production 2FA, always generate secrets on your server and only share them once via QR code. Never store plaintext secrets in logs or databases without encryption.

Q: My codes don't match the authenticator app. Why?

A: Common causes: 1) Time sync issue — check your device's clock against time.is. 2) Wrong algorithm — most apps default to SHA-1. 3) Different time step — standard is 30 seconds. 4) Digits mismatch — ensure both use 6 or 8 digits.

Q: Can I recover a lost secret?

A: No. TOTP secrets are meant to be known only to you and the service. If you lose your secret, you'll need to reset 2FA with the service using backup codes or account recovery.

Q: Why use Base32 instead of Base64?

A: Base32 uses only uppercase letters and digits 2-7, avoiding visually ambiguous characters (0/O, 1/I/l). This makes manual entry much less error-prone, which matters when typing secrets from printed backup codes.

Q: What's the difference between TOTP and HOTP?

A: HOTP uses a counter that increments with each code generation. TOTP uses time as the counter. TOTP codes expire automatically (typically every 30 seconds), while HOTP codes remain valid until used. Most modern 2FA uses TOTP for its self-expiring nature.

🔗 Related Tools

  • CRC Tool - Calculate CRC checksums with 100+ algorithms for data integrity verification
  • File Hash Calculator - Calculate MD5, SHA-1, SHA-256, SHA-512 hashes for files and text
  • JWT Encoder & Decoder - Create, decode, verify, and debug JSON Web Tokens with HMAC signature support and claim inspection
  • TLS Certificate Analyzer - Parse and analyze X.509 TLS/SSL certificates with chain visualization, expiration tracking, cipher suite info, and security vulnerability detection

Secret Key Management

TOTP Settings

Generated OTP
Enter a secret key to generate OTP
Unix Time: 1766316020
Counter (T): 58877200

QR Code & URI

No QR code
Scan QR code with Google Authenticator, Authy, or any TOTP app

Verify OTP Code