TOTP Generator

What Is TOTP?

TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238 that generates short-lived numeric codes based on a shared secret and the current time. TOTP is the standard behind apps like Google Authenticator, Authy, Microsoft Authenticator, and hardware tokens.

Each TOTP code is valid for a short window (typically 30 seconds) and then expires, making it extremely resistant to replay attacks. This is what powers the "6-digit code" step when you log in to services with two-factor authentication (2FA).

How TOTP Works

1. A shared secret (Base32-encoded) is established between the server and your authenticator app, usually via a QR code.
2. Both sides independently compute: HMAC-SHA1(secret, floor(currentTime / 30))
3. A 6-digit code is derived from the HMAC output using dynamic truncation.
4. Since both sides use the same secret and the same clock, they produce the same code at the same time.

How to Use This Tool

1. Enter your Base32 secret key (the same key your authenticator app uses).
2. Click Generate to see the current TOTP code.
3. The code refreshes every 30 seconds — generate again to get the latest code.

Common Use Cases

• Two-Factor Authentication (2FA): Add a second layer of security to logins beyond just a password.
• Development Testing: Verify your TOTP implementation generates correct codes.
• Account Recovery: If your authenticator app is unavailable, use the Base32 secret to generate codes.
• Server-Side Verification: Test that your server correctly validates TOTP codes during authentication flows.

TOTP Security Best Practices

• Store backup codes securely in case you lose access to your authenticator device.
• Keep the Base32 secret private — anyone with the secret can generate valid codes.
• Use TOTP over SMS-based 2FA — SMS codes are vulnerable to SIM-swapping attacks.
• Ensure clock synchronization — TOTP depends on accurate time; use NTP on your server.

Frequently Asked Questions