TOTP (One-Time Password) Generator

Generate the same 6-digit one-time password (RFC 6238) as Google Authenticator and similar apps from a Base32 TOTP secret, entirely in your browser. Your secret is never transmitted.

This tool never sends your secret to any server. Base32 decoding and HMAC computation happen entirely inside your browser (Web Crypto API), so you can safely enter authentication credentials here.

About the TOTP Algorithm

TOTP (Time-based One-Time Password) is a time-based one-time password algorithm defined in RFC 6238. It converts a shared secret and the current time into a counter that advances at fixed intervals, then derives a numeric code using the same dynamic truncation algorithm as HOTP (RFC 4226).

HMAC algorithm Choose from SHA-1 (default), SHA-256, or SHA-512
Code length 6 digits (the same standard length used by Google Authenticator and most major 2FA apps)
Refresh interval A new code is generated every 30 seconds

Tips

  • The secret is the "setup key" string shown below the QR code when you first register two-factor authentication (2FA). If you already registered it in a phone authenticator app, entering the same secret here lets you cross-check the code.
  • Some services use a hash algorithm other than SHA-1 (SHA-256 or SHA-512). If the generated code doesn't match your actual app, try switching the algorithm.
  • The code refreshes automatically every 30 seconds, with a progress bar showing the time remaining. Be careful copying a code right before it expires, since it may become invalid before it reaches the service you're authenticating with.
  • Closing this browser tab permanently discards the secret; nothing is ever saved anywhere. If you want to keep it as a backup, store the secret itself somewhere secure, such as a password manager.

FAQ

Yes. Base32 decoding and HMAC computation all run inside your browser via the Web Crypto API and are never sent to any server. You can verify this yourself by inspecting network traffic — the secret you enter is never transmitted.

This is usually caused by a mismatched hash algorithm (most services use SHA-1, but some use SHA-256 or SHA-512) or a clock that's out of sync. First, try switching the algorithm; if it still doesn't match, check that your device's clock is set to sync automatically.

TOTP is generally considered more secure. SMS messages can be intercepted through phone number takeover (SIM-swap fraud), whereas TOTP is computed entirely on your device and isn't vulnerable to that type of attack.

Most services issue "recovery codes" when you first set up 2FA. If you've lost the secret itself, you'll need to go through the service's account recovery process (identity verification) to re-register two-factor authentication.
ツールくん

Side Note — Why Two-Factor Codes Settled on 6 Digits

OATH (the Initiative for Open Authentication), which drafted the TOTP specification (RFC 6238), simply reused HOTP's (RFC 4226) dynamic truncation algorithm and left the code length up to each implementation. Six digits became the de facto industry standard largely because Google Authenticator adopted that length in its original 2010 implementation, and many other services and libraries followed suit.

Six digits also happens to be a sweet spot. With one million possible combinations (10^6) and a short 30-second validity window, brute-forcing a code becomes practically impossible, while anything longer would be impractical for a human to memorize and type. It's no coincidence that most SMS verification codes are also 6 digits — the industry converged on this length for any "short-lived, disposable numeric code."

TOTP's predecessor, HOTP (RFC 4226, 2005), used a counter that had to be incremented by one every time a code was used. In practice this caused frequent sync problems — users forgetting to press a button, or the counter on the device and server drifting apart. TOTP, standardized in 2011, replaced the counter with the current time, a reference value everyone can agree on, dramatically simplifying operations.