Security Tools/TOTP Generator
TOTP Generator
Generate and verify Time-based One-Time Password (TOTP) codes for two-factor authentication
Secret Key Configuration
Current TOTP Code
--- ---
30s remaining
Verify Code
TOTP Generator Guide
Learn how to use Time-based One-Time Passwords for two-factor authentication
What is TOTP?
TOTP (Time-based One-Time Password) is an algorithm that generates a unique 6-digit code every 30 seconds using a shared secret key. It's widely used for two-factor authentication (2FA) in apps like Google Authenticator, Authy, and Microsoft Authenticator.
How to Use
- Generate a new secret key or enter an existing one
- Scan the QR code with your authenticator app
- The current code will display and update every 30 seconds
- Use the verify feature to test codes from your authenticator
Security Tips
- Keep your secret key safe - anyone with it can generate valid codes
- Backup your secret key in a secure location
- TOTP is more secure than SMS-based 2FA
Browser Support
This tool uses the Web Crypto API for HMAC-SHA1 calculations. All processing happens locally in your browser - your secret key is never sent to any server.
Frequently Asked Questions
How does TOTP work?
TOTP combines a secret key with the current time to generate a unique code. Both your device and the server share the same secret key and use the same algorithm (HMAC-SHA1). Since they both know the time, they can independently generate the same code without communicating.
Why do TOTP codes expire every 30 seconds?
The 30-second window provides a balance between security and usability. Shorter windows would be more secure but harder to use. The 30-second period allows enough time to read and enter the code while limiting the window for potential attackers.
What if my clock is wrong?
TOTP is time-sensitive, so clock drift can cause codes to fail. Most servers accept codes from the previous and next time windows to account for slight time differences. If codes consistently fail, synchronize your device's clock with an internet time server.
Is TOTP secure?
TOTP is significantly more secure than password-only authentication or SMS-based 2FA. However, the secret key must be protected. If an attacker obtains your secret key, they can generate valid codes. Use TOTP in combination with a strong, unique password for best security.
What's the difference between TOTP and HOTP?
TOTP uses time as the counter, generating a new code every 30 seconds. HOTP (HMAC-based OTP) uses an incrementing counter instead. TOTP is more common because it doesn't require synchronization of counters between device and server, making it more reliable.