Developer testing
Generate test TOTP secrets to verify your 2FA implementation validates codes correctly before shipping.
2FA
OTP
🔐
Security — Two-Factor Authentication
🔐 2FA TOTP Generator
Generate time-based one-time passwords (TOTP) and scannable QR codes, compatible with Google Authenticator, Authy, Microsoft Authenticator, and all RFC 6238 apps.
RFC 6238
100% Client-side
QR Code
TOTP Algorithm
Hash
HMAC-SHA1 / 256 / 512
Period
30 or 60 seconds
Standard
RFC 6238 / RFC 4226
Privacy: Secret never leaves your browser
Configure Your TOTP Secret
Email or username displayed in your authenticator app.
Your service or application name.
Store this securely — it's the root of your 2FA codes.
Scan with Authenticator App
📷
QR code appears here
Live One-Time Password
- - - - - -
30
Code refreshes automatically at each time boundary. Enter it in your app before the timer expires.
How It Works
🔑
1. Generate Secret
A cryptographically random 160-bit key is created in your browser and Base32 encoded.
📱
2. Scan QR Code
Scan the otpauth:// QR code with any RFC 6238 authenticator app to enrol.
⏱️
3. 30-Second Codes
Both your app and this tool derive the same HMAC-SHA code from the shared secret and current time.
🛡️
4. Two-Factor Security
Even if your password is compromised, an attacker still needs the rotating code from your device.
2FA TOTP Generator guide
How TOTP authentication secures your accounts
TOTP (Time-Based One-Time Password, RFC 6238) builds on the HOTP algorithm (RFC 4226) by replacing a counter with a time value. Both your authenticator app and the server share a secret key and independently compute HMAC-SHA1 over the current 30-second window. Because neither party needs to transmit the code in advance, interception provides no benefit — the window expires before it can be replayed. This makes TOTP one of the most widely deployed second-factor mechanisms in the world, used by Google, GitHub, AWS, Cloudflare, and thousands of other services.
This generator is entirely browser-based. The Web Crypto API (crypto.subtle) handles all HMAC computation without sending a single byte to any server. The secret is encoded in RFC 4648 Base32 — the format expected by every major authenticator app. The resulting otpauth:// URI encodes the algorithm, digit count, period, and issuer, making it trivially scannable as a QR code. Store your raw secret in a password manager so you can re-enrol if you change devices.
Core features
- Cryptographically random 160-bit secret via crypto.getRandomValues().
- Live TOTP code that refreshes every 30 or 60 seconds, matching your authenticator app exactly.
- Animated countdown arc showing time remaining in the current window with colour-coded urgency.
- Scannable QR code with instant download as PNG.
- Configurable algorithm (SHA-1, SHA-256, SHA-512), digit count (6 or 8), and period.
- otpauth:// URI display and one-click copy for manual app enrolment.
How to set up TOTP two-factor authentication
Step 1: Click Generate / Refresh to create a new Base32 secret. Optionally enter your account email and service name so they appear clearly in your authenticator app.
Step 2: Open your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc.) and choose 'Scan QR code'.
Step 3: Point the camera at the QR code on screen. The tool is now enrolled. Verify the live code here matches the one in your app.
Step 4: Store the raw Base32 secret in your password manager as a backup. If you lose your phone, you can re-enrol from the secret alone.
Professional use cases
Personal account security
Set up two-factor authentication for personal services that support TOTP, even when the provider's UI is inconvenient.
Security training
Demonstrate live how TOTP works in workshops, making the time-based algorithm visible and tangible for students.
Offline verification
Generate and verify codes without a mobile device — useful in air-gapped environments or when your phone is unavailable.
Tips for better results
- Always keep a backup of the raw Base32 secret in a password manager. The QR code is just a visual encoding of it.
- SHA-1 is the default because most authenticator apps only support SHA-1. Check your app's documentation before using SHA-256 or SHA-512.
- Keep your device clock accurate. TOTP codes are derived from the current time — a clock more than 30 seconds off will produce mismatched codes.
- Never share your secret key. Anyone who has it can generate valid codes indefinitely.
- When testing integrations, remember that most servers accept codes from the previous and next window (±1 step) to account for clock drift.
Frequently asked questions about TOTP
What is TOTP and how does it work?
TOTP (Time-Based One-Time Password, RFC 6238) generates a short numeric code from a shared secret and the current Unix time. The code refreshes every 30 seconds and provides a second authentication factor beyond just a password.
Is my secret key sent to the server?
No. Everything runs in your browser using the Web Crypto API (HMAC-SHA1/SHA-256/SHA-512). Your secret key, QR code, and generated tokens never leave your device.
Can I use this with Google Authenticator or Authy?
Yes. The tool generates a standard otpauth:// URI and a scannable QR code compatible with Google Authenticator, Authy, Microsoft Authenticator, 1Password, and all RFC 6238 compliant apps.
What is Base32 encoding in the TOTP secret?
TOTP secrets are encoded in Base32 (RFC 4648) — only uppercase A–Z and digits 2–7. This format avoids ambiguous characters and is the standard expected by all authenticator apps.
Should I save the secret key or just the QR code?
Save both. The secret key is the source of truth. If you lose access to your authenticator app, you will need the raw secret to re-enrol. Store it in a secure password manager alongside your account credentials.
Share this tool
Help someone else shortcut their work
Send this page to a friend, student, or teammate who could benefit from it.