Security
OTP Generator
The OTP Generator computes TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password) codes from a Base32 secret key. It is compatible with authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator. Use it to test two-factor authentication (2FA) implementations, verify secrets, or generate codes during development without needing a physical phone.
What are TOTP and HOTP?
HOTP (HMAC-based One-Time Password, RFC 4226) generates a one-time password by computing HMAC-SHA1 of a shared secret and a counter value, then truncating the result to a 6–8 digit code. Each code is valid until used, requiring synchronized counter state between client and server. TOTP (Time-based One-Time Password, RFC 6238) extends HOTP by deriving the counter from the current Unix timestamp divided by a time step (usually 30 seconds). This makes TOTP codes self-expiring without requiring counter synchronization. TOTP is the algorithm used by virtually all 2FA authenticator apps. Both algorithms rely on a shared Base32-encoded secret that is typically distributed via a QR code during the setup flow.
How does the tool work?
For TOTP, the tool decodes the Base32 secret to raw bytes and computes the current time counter as floor(currentUnixTime / 30). It then computes HMAC-SHA1 (or HMAC-SHA256/SHA512 for extended TOTP) of the secret and the 8-byte big-endian counter. Dynamic truncation extracts a 4-byte offset from the last nibble of the HMAC output, reads a 4-byte big-endian integer from that offset, and takes it modulo 10^digits (typically 10^6) to produce the 6-digit code. The tool shows the current code, the remaining seconds until the next code, and optionally the previous and next codes for the adjacent time windows.
Typical Use Cases
- Testing a 2FA implementation by generating expected TOTP codes for a known secret
- Verifying that a TOTP secret from a QR code is correctly encoded before distributing to users
- Generating HOTP codes with a specific counter value for integration testing
- Recovering a 2FA code when your phone is unavailable during development
Step-by-step Guide
- Step 1: Enter the Base32 TOTP secret (from the QR code or app setup screen).
- Step 2: Select TOTP (time-based) or HOTP (counter-based) mode.
- Step 3: For HOTP, enter the counter value; for TOTP, the current time is used automatically.
- Step 4: Copy the 6-digit code and use it to authenticate or test your implementation.
Example
Input
Secret: JBSWY3DPEHPK3PXP | Mode: TOTP
Output
Current code: 123456 (updates every 30 seconds)
Tips & Notes
- TOTP codes expire every 30 seconds – check the countdown timer and enter the code before it refreshes.
- Make sure your device clock is accurate (synchronized with NTP); TOTP codes are time-dependent and will be wrong if the clock is off by more than 30 seconds.
- Store TOTP secrets as securely as passwords – anyone with the secret can generate valid codes indefinitely.
Frequently Asked Questions
What is the difference between TOTP and HOTP?
HOTP is counter-based: each code is valid until used, and the counter must be synchronized between client and server. TOTP is time-based: codes expire automatically every 30 seconds using the current time as the counter. TOTP is the standard used by authenticator apps because it avoids counter synchronization issues.
Is the TOTP secret the same as the QR code?
No. The QR code encodes a 'otpauth://' URI that contains the secret, issuer name, account label, and algorithm parameters. The secret is the Base32 string within that URI. Scanning the QR code in an authenticator app extracts the secret automatically.
Can I use SHA-256 or SHA-512 instead of SHA-1 for TOTP?
RFC 6238 allows SHA-256 and SHA-512, but in practice virtually all authenticator apps use SHA-1. Using a different algorithm will cause compatibility issues with standard apps unless both client and server explicitly agree on the algorithm.
OTP Generator
Generate and validate time-based one-time passwords (TOTP) for two-factor authentication — RFC 6238 compliant, fully in-browser.
Open Tool